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Abstract 

We construct the first (key-policy) attribute-based encryption (ABE) system with short 
secret keys: the size of keys in our system depends only on the depth of the policy circuit, 
not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in 
gates thereby further reducing the circuit depth. Building on this ABE system we obtain the 
first reusable circuit garbling scheme that produces garbled circuits whose size is the same as 
the original circuit plus an additive poly(A, d) bits, where A is the security parameter and d is 
the circuit depth. Save the additive poly(A, d) factor, this is the best one could hope for. All 
previous constructions incurred a multiplicative poly(A) blowup. As another application, we 
obtain (single key secure) functional encryption with short secret keys. 

We construct our attribute-based system using a mechanism we call fully key-homomorphic 
encryption which is a public-key system that lets anyone translate a ciphertext encrypted under 
a public- key x into a ciphertext encrypted under the public-key (/(x), /) of the same plaintext, 
for any efficiently computable /. We show that this mechanism gives an ABE with short keys. 
Security is based on the subexponential hardness of the learning with errors problem. 

We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: 
an encryption to an attribute vector x is the size of x plus poly(A, d) additional bits. This gives 
a reusable circuit garbling scheme where the size of the garbled input is short, namely the same 
as that of the original input, plus a poly(A,d) factor. 
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1 Introduction 



(Key-policy) attribute-based encryption [SW05, GPSW06] is a public- key encryption mechanism 
where every secret key skj is associated with some function / : X — > y and an encryption of a 
message \x is labeled with a public attribute vector x £ X. The encryption of jjl can be decrypted 
using skj only if /(x) = 0 € y. Intuitively, the security requirement is collusion resistance: a 
coalition of users learns nothing about the plaintext message fi if none of their individual keys are 
authorized to decrypt the ciphertext. 

Attribute-based encryption (ABE) is a powerful generalization of identity-based encryption [Sha84, 
BF03, CocOl] and fuzzy IBE [SW05, ABV+12] and is a special case of functional encryption [BSW11]. 
It is used as a building-block in applications that demand complex access control to encrypted 
data [PTMW06], in designing protocols for verifiably outsourcing computations [PRV12], and for 
single- use functional encryption [GKP + 13b]. Here we focus on key-policy ABE where the access 
policy is embedded in the secret key. The dual notion called ciphertext-policy ABE can be realized 
from this using universal circuits, as explained in [GPSW06, GGH + 13c]. 

The past few years have seen much progress in constructing secure and efficient ABE schemes 
from different assumptions and for different settings. The first constructions [GPSW06, LOS + 10, 
OT10, LW12, Watl2, Boyl3, HW13] apply to predicates computable by Boolean formulas which 
are a subclass of log-space computations. More recently, important progress has been made on con- 
structions for the set of all polynomial-size circuits: Gorbunov, Vaikuntanathan, and Wee [GVW13] 
gave a construction from the Learning With Errors (LWE) problem and Garg, Gentry, Halevi, Sa- 
hai, and Waters [GGH + 13c] gave a construction using multilinear maps. In both constructions the 
policy functions are represented as Boolean circuits composed of fan-in 2 gates and the secret key 
size is proportional to the size of the circuit. 

Our results. We present two new key-policy ABE systems. Our first system, which is the 
centerpiece of this paper, is an ABE based on the learning with errors problem [Reg05] that supports 
functions / represented as arithmetic circuits with large fan-in gates. It has secret keys whose size 
is proportional to depth of the circuit for /, not its size. Secret keys in previous ABE constructions 
contained an element (such as a matrix) for every gate or wire in the circuit. In our scheme the 
secret key is a single matrix corresponding only to the final output wire from the circuit. We prove 
selective security of the system and observe that by a standard complexity leveraging argument (as 
in [BB11]) the system can be made adaptively secure. 

Theorem 1.1 (Informal). Let A be the security parameter. Assuming subexponential LWE, there 
is an ABE scheme for the class of functions with depth-d circuits where the size of the secret key 
for a circuit C is poly(A, d). 

Our second ABE system, based on multilinear maps ([BS02],[GGH13a]), optimizes the cipher- 
text size rather than the secret key size. The construction here relies on a generalization of broad- 
cast encryption [FN93, BGW05, BW13] and the attribute-based encryption scheme of [GGH + 13c]. 
Previously, ABE schemes with short ciphertexts were known only for the class of Boolean formu- 
las [ALdPll]. 

Theorem 1.2 (Informal). Let A be the security parameter. Assuming that d-level multilinear maps 
exist, there is an ABE scheme for the class of functions with depth-d circuits where the size of the 
encryption of an attribute vector x is |x| + poly(A, d). 
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Our ABE schemes result in a number of applications and have many desirable features, which 
we describe next. 

Applications to reusable garbled circuits. Over the years, garbled circuits and variants have 
found many uses: in two party [Yao86] and multi-party secure protocols [GMW87, BMR90], one- 
time programs [GKR08], key-dependent message security [BHHI10], verifiable computation [GGP10], 
homomorphic computations [GHV10] and many others. Classical circuit garbling schemes produced 
single- use garbled circuits which could only be used in conjunction with one garbled input. Gold- 
wasser et al. [GKP + 13b] recently showed the first fully reusable circuit garbling schemes and used 
them to construct token-based program obfuscation schemes and k-time programs [GKP + 13b]. 

Most known constructions of both single-use and reusable garbled circuits proceed by garbling 
each gate to produce a garbled truth table, resulting in a multiplicative size blowup of poly (A). A 
fundamental question regarding garbling schemes is: How small can the garbled circuit be? 

There are three exceptions to the gate-by-gate garbling method that we are aware of. The 
first is the "free XOR" optimization for single-use garbling schemes introduced by Kolesnikov and 
Schneider [KS08] where one produces garbled tables only for the AND gates in the circuit C. This 
still results in a multiplicative poly(A) overhead but proportional to the number of AND gates 
(as opposed to the total number of gates). Secondly, Lu and Ostrovsky [L013] recently showed 
a single-use garbling scheme for RAM programs, where the size of the garbled program grows as 
poly (A) times its running time. Finally, Goldwasser et al. [GKP + 13a] show how to (reusably) garble 
non-uniform Turing machines under a non-standard and non-falsifiable assumption and incurring 
a multiplicative poly(A) overhead in the size of the non-uniformity of the machine. In short, all 
known garbling schemes (even in the single-use setting) suffer from a multiplicative overhead of 
poly(A) in the circuit size or the running time. 

Using our first ABE scheme (based on LWE) in conjunction with the techniques of Goldwasser 
et al. [GKP + 13b], we obtain the first reusable garbled circuits whose size is \C\ + poly(A, d). For 
large and shallow circuits, such as those that arise from database lookup, search and some machine 
learning applications, this gives significant bandwidth savings over previous methods (even in the 
single use setting). 

Theorem 1.3 (Informal). Assuming subexponential LWE, there is a reusable circuit garbling 
scheme that garbles a depth-d circuit C into a circuit C such that \C\ = \C\ + poly(A, d), and 
garbles an input x into an encoded input x such that \x\ = \x\ • poly(A,cf). 

We next ask if we can obtain short garbled inputs of size |x| = |x| + poly(A, d), analogous to what 
we achieved for the garbled circuit. In a beautiful recent work, Applebaum, Ishai, Kushilevitz and 
Waters [AIKW13] showed constructions of single-use garbled circuits with short garbled inputs of 
size |x| = |x| + poly(A). We remark that while their garbled inputs are short, their garbled circuits 
still incur a multiplicative poly(A) overhead. 

Using our second ABE scheme (based on multilinear maps) in conjunction with the techniques 
of Goldwasser et al. [GKP + 13b], we obtain the first reusable garbling scheme with garbled inputs 
of size |x| + poly(A, d). 

Theorem 1.4 (Informal). Assuming subexponential LWE and the existence of d-level multilinear 
maps, there is a reusable circuit garbling scheme that garbles a depth-d circuit C into a circuit 
C such that \C\ = \C\ ■ poly(A,cf), and garbles an input x into an encoded input x such that 
|x| = |x| + poly(A, d). 
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A natural open question is to construct a scheme which produces both short garbled circuits 
and short garbled inputs. We first focus on describing the ABE schemes and then give details of 
the garbling scheme. 

ABE for arithmetic circuits. For a prime q, our first ABE system (based on LWE) directly 
handles arithmetic circuits with weighted addition and multiplication gates over Z 9 , namely gates 
of the form 

g+(xi, . . . ,x k ) = a 1 x 1 + . . . + a k x k and g x (ari, . . . , x k ) = a ■ x-y ■ ■ ■ x k 

where the weights ct{ can be arbitrary elements in Z g . Previous ABE constructions worked with 
Boolean circuits. 

Addition gates g+ take arbitrary inputs x±, . . . ,x k £ 7L q . However, for multiplication gates g x , 
we require that the inputs are somewhat smaller than q, namely in the range [— p,p] for some p < q. 
(In fact, our construction allows for one of the inputs to g x to be arbitrarily large in Z ? ). Hence, 
while / : Z e q -> Z q can be an arbitrary polynomial-size arithmetic circuit, decryption will succeed 
only for attribute vectors x for which /(x) = 0 and the inputs to all multiplication gates in the 
circuit are in [— p,p\. We discuss the relation between p and q at the end of the section. 

We can in turn apply our arithmetic ABE construction to Boolean circuits with large fan-in 
resulting in potentially large savings over constructions restricted to fan-in two gates. An AND 
gate can be implemented as A(x±, . . . , x k ) = x\ ■ ■ ■ x k and an OR gate as V(xi, . . . , x k ) = 1 — (1 — 
Xi) ■ • ■ (1 — x k ). In this setting, the inputs to the gates g + and g x are naturally small, namely 
in {0, 1}. Thus, unbounded fan-in allows us to consider circuits with smaller size and depth, and 
results in smaller overall parameters. 

ABE with key delegation. Our first ABE system also supports key delegation. That is, using 
the master secret key, user Alice can be given a secret key sk f for a function / that lets her decrypt 
whenever the attribute vector x satisfies /(x) = 0. In our system, for any function g, Alice can 
then issue a delegated secret key skf Ag to Bob that lets Bob decrypt if and only if the attribute 
vector x satisfies /(x) = g(x) = 0. Bob can further delegate to Charlie, and so on. The size of the 
secret key increases quadratically with the number of delegations. 

We note that Gorbunov et al. [GVW13] showed that their ABE system for Boolean circuits 
supports a somewhat restricted form of delegation. Specifically, they demonstrated that using a 
secret key skj for a function /, and a secret key sk 9 for a function g, it is possible to issue a secret 
key sk f Ag for the function / A g. In this light, our work resolves the naturally arising open problem 
of providing full delegation capabilities (i.e., issuing sk/ A3 using only sk/). 

1.1 Building an ABE for arithmetic circuits with short keys 

Key-homomorphic public-key encryption. We obtain our ABE by constructing a public-key 
encryption scheme that supports computations on public keys. Basic public keys in our system 
are vectors x in ll q for some £. Now, let x be a tuple in Z q and let / : Z^ — > 7L q be a function 
represented as a polynomial-size arithmetic circuit. Key-homomorphism means that: 

anyone can transform an encryption under key x into an encryption under key /(x). 
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More precisely, suppose c is an encryption of message jjl under public- key x G Z^. There is a 
public algorithm Eval c t(/, x, c) — > Cf that outputs a ciphertext Cf that is an encryption of (i 
under the public-key /(x) G 7L q . In our constructions Eval ct is deterministic and its running time 
is proportional to the size of the arithmetic circuit for /. 

If we give user Alice the secret-key for the public- key 0 G 7L q then Alice can use Eval c t to decrypt c 
whenever /(x) = 0, as required for ABE. Unfortunately, this ABE is completely insecure! This is 
because the secret key is not bound to the function /: Alice could decrypt any ciphertext encrypted 
under x by simply finding some function g such that g{x) = 0. 

To construct a secure ABE we slightly extend the basic key-homomorphism idea. A base 
encryption public-key is a tuple x G Z^ as before, however Eval ct produces ciphertexts encrypted 
under the public key (/(x), (/)) where /(x) G Z 5 and (/} is an encoding of the circuit computing 
/. Transforming a ciphertext c from the public key x to (/(x), (/)) is done using algorithm 
Eval c t (/, x, c) — > Cf as before. To simplify the notation we write a public-key (y, (/)) as simply 
(y, /). The precise syntax and security requirements for key-homomorphic public- key encryption 
are provided in Section 3. 

To build an ABE we simply publish the parameters of the key-homomorphic PKE system. A 
message [i is encrypted with attribute vector x = (xi, . . . , xg) G Z^ that serves as the public key. 
Let c be the resulting ciphertext. Given an arithmetic circuit /, the key-homomorphic property 
lets anyone transform c into an encryption of \i under key (/(x), /). The point is that now the 
secret key for the function / can simply be the decryption key for the public-key (0, /). This key 
enables the decryption of c when /(x) = 0 as follows: the decryptor first uses Eval ct (/, x, c) — > Cf 
to transform the ciphertext to the public key (/(x), /). It can then decrypt Cf using the decryption 
key it was given whenever /(x) = 0. We show that this results in a secure ABE. 

A construction from learning with errors. Fix some n G Z + , prime q, and m = 0(nlogg). 
Let A, G and Bi, . . . , be matrices in Z™ xm that will be part of the system parameters. To 
encrypt a message fi under the public key x = (xi, . . . , xg) G Z^ we use a variant of dual Regev 
encryption [Reg05, GPV08] using the following matrix as the public key: 

(A | xiG + Bi | • • • | x e G + B e ) G Z" x ( £+1 ) m (1) 

We obtain a ciphertext c x . We note that this encryption algorithm is the same as encryption in the 
hierarchical IBE system of [ABB 10] and encryption in the predicate encryption for inner-products 
of [AFVll]. 

We show that, remarkably, this system is key-homomorphic: given a function / : Z^ — > 7L q 
computed by a poly-size arithmetic circuit, anyone can transform the ciphertext c x into a dual 
Regev encryption for the public-key matrix 

(A | /(x) ■ G + B f ) G Z" x2m 

where the matrix Bj G Z™ xm serves as the encoding of the circuit for the function /. This By is 
uniquely determined by / and Bi, . . . , Jig. The work needed to compute By is proportional to the 
size of the arithmetic circuit for /. 

To illustrate the idea, assume that we have the ciphertext under the public key (x,y): c x = 
(co | c x | c y ). Here Co = A T s + e, c x = (xG + Bi) T s + ei and c y = (yG + B2) T s + &2- To compute 
the ciphertext under the public key (x + y, B+) one takes the sum of the ciphertexts c x and c y . 
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The result is the encryption under the matrix 



Or + y)G + (B 1+ B 2 )eZ™ xm 

where B + = Bi + B2. One of the main contributions of this work is a novel method of multiplying 
the public keys. Together with addition, described above, this gives full key-homomorphism. To 
construct the ciphertext under the public key (xy, B x ), we first compute a small-norm matrix 
R G Z™ xm , s.t. GR = -Bi. With this in mind we compute 

R T Cj, = R T • [(yG + B 2 ) T s + e 2 ] » (-yBi + B 2 R) T s, and 
y ■ c x = y [(xG + Bi) T s + ei] « (xyG + yBi) T s 

Adding the two expressions above gives us 

(xyG + B 2 R) T s + noise 

which is a ciphertext under the public key (xy, B x ) where B x = B 2 R. Note that performing this 
operation requires that we know y. This is the reason why this method gives an ABE and not 
(private index) predicate encryption. In Section 4.1 we show how to generalize this mechanism to 
arithmetic circuits with arbitrary fan-in gates. 

As explained above, this key-homomorphism gives us an ABE for arithmetic circuits: the public 
parameters contain random matrices Bi, . . . , B^ 6 Z™ xm and encryption to an attribute vector x in 
Zg is done using dual Regev encryption to the matrix (1). A decryption key sky for an arithmetic 
circuit / : 7L l — > 7L q is a decryption key for the public- key matrix (A | O-G + Bj) = (A|B/). This 
key enables decryption whenever /(x) = 0. The key skj can be easily generated using a short basis 
for the lattice Aj~(A) which serves as the master secret key. 

We prove selective security from the learning with errors problem (LWE) by using another 
homomorphic property of the system implemented in an algorithm called Eval s i m . Using Eval s i m the 
simulator responds to the adversary's private key queries and then solves the given LWE challenge. 

Parameters and performance. Applying algorithm Eval c t(/, x, c) to a ciphertext c increases 
the magnitude of the noise in the ciphertext by a factor that depends on the depth of the circuit 
for /. A A;- way addition gate (5+) increases the norm of the noise by a factor of 0(km). A fc-way 
multiplication gate (<7 X ) where all (but one) of the inputs are in [— p,p] increases the norm of the 
noise by a factor of 0(p k ~ 1 m). Therefore, if the circuit for / has depth d, the noise in c grows in 
the worst case by a factor of 0((p k ~ l m) d ). Note that the weights on used in the gates g + and g x 
have no effect on the amount of noise added. 

For decryption to work correctly the modulus q should be slightly larger than the noise in the 
ciphertext. Hence, we need q on the order of Q(B ■ (p k ~ 1 m) d ) where B is the maximum magnitude 
of the noise added to the ciphertext during encryption. For security we rely on the hardness of 
the learning with errors (LWE) problem, which requires that the ratio q/B is not too large. In 
particular, the underlying problem is believed to be hard even when q/B is for some fixed 
0 < e < 1/2. In our settings q/B = 0((p fe_1 m) d ). Then to support circuits of depth t(X) for 
some polynomial t(-) we choose n such that n > t(X)^ 1 ^^ • (21og 2 n + fclogp) 1 ^, set q = 2^ n "'\ 
m = 0(nlogg), and the LWE noise bound to B = 0(n). This ensures correctness of decryption 
and hardness of LWE since we have Q.((p k m) t ^) < q < 2^™^, as required. The ABE system 
of [GVW13] uses similar parameters due to a similar growth in noise as a function of circuit depth. 
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Secret key size. A decryption key in our system is a single 2m x m low-norm matrix, namely 
the trapdoor for the matrix (A|Bj). Since m = Q(nlogq) and log 2 q grows linearly with the circuit 
depth d, the overall secret key size grows as 0(d 2 ) with the depth. In previous ABE systems for 
circuits [GVW13, GGH + 13c] secret keys grew as 0{d?s) where s is the number of boolean gates or 
wires in the circuit. 



Other related work. Predicate encryption [BW07, KSW08] provides a stronger privacy guaran- 
tee than ABE by additionally hiding the attribute vector x. Predicate encryption systems for inner 
product functionalities can be built from bilinear maps [KSW08] and LWE [AFV11]. More recently, 
Garg et al. [GGH + 13b] constructed functional encryption (which implies predicate encryption) for 
all polynomial-size functionalities using indistinguishability obfuscation. 

The encryption algorithm in our system is similar to that in the hierarchical-IBE of Agrawal, 
Boneh, and Boyen [ABB10]. We show that this system is key-homomorphic for polynomial-size 
arithmetic circuits which gives us an ABE for such circuits. The first hint of the key homo- 
morphic properties of the [ABB10] system was presented by Agrawal, Freeman, and Vaikun- 
tanathan [AFV11] who showed that the system is key-homomorphic with respect to low- weight 
linear transformations and used this fact to construct a (private index) predicate encryption system 
for inner- products. To handle high- weight linear transformations [AFV11] used bit decomposition 
to represent the large weights as bits. This expands the ciphertext by a factor of log 2 q, but adds 
more functionality to the system. Our ABE, when presented with a circuit containing only lin- 
ear gates (i.e. only g + gates), also provides a predicate encryption system for inner products in 
the same security model as [AFV11], but can handle high- weight linear transformations directly, 
without bit decomposition, thereby obtaining shorter ciphertexts and public-keys. 

A completely different approach to building circuit ABE was presented by Garg, Gentry, Sahai, 
and Waters [GGSW13] who showed that a general primitive they named witness encryption implies 
circuit ABE when combined with witness indistinguishable proofs. 



2 Preliminaries 



For a random variable X we denote by x <— X the process of sampling a value x according to the 
distribution of X. Similarly, for a finite set S we denote by x ^— S the process of sampling a value 
x according to the uniform distribution over S. A non-negative function v(\) is negligible if for 
every polynomial p(X) it holds that u(X) < l/p{X) for all sufficiently large A G N. 

The statistical distance between two random variables X and Y over a finite domain £1 is defined 



as 



SD(A, Y) = lj2\ Pr t X = ^ ~ Pr t y 



Two random variables X and Y are 8-close if SD(X,Y) < 5. Two distribution ensembles {Aa}asN 
and {1a}a6N are statistically indistinguishable if it holds that SD(X\,Yx) is negligible in A. Such 
random variables are computationally indistinguishable if for every probabilistic polynomial-time 
algorithm A it holds that 



Pr 



A(l x ,x) = 1 



Pr 



is negligible in A. 
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2.1 Attribute-Based Encryption 

An attribute-based encryption (ABE) scheme for a class of functions F\ = {/ : X\ — > 3M is a 
quadruple II = (Setup, Keygen, Enc, Dec) of probabilistic polynomial-time algorithms. Setup takes a 
unary representation of the security parameter A and outputs public parameters mpk and a master 
secret key msk; Keygen(msk, / G F\) output a decryption key skj ; Enc(mpk, x G X\, fj,) outputs 
a ciphertext c, the encryption of message fi labeled with attribute vector x; Dec(sk/,c) outputs 
a message \x or the special symbol _L. (When clear from the context, we drop the subscript A from 
X x , y\ and 

Correctness. We require that for every circuit / £ J, attribute vector x G X where f(x) = 0, 
and message fi, it holds that Dec(skj,c) = fi with an overwhelming probability over the choice of 
(mpk, msk) «— Setup(A), c «— Enc(mpk, x, n), and sk/ «— Keygen(msk, /). 

Security. For the most part, we consider the standard notion of selective security for ABE 
schemes [GPSW06]. Specifically, we consider adversaries that first announce a challenge attribute 
vector x*, and then receive the public parameters mpk of the scheme and oracle access to a key- 
generation oracle KG(msk, x*,f) that returns the secret key skj for / G T if fix*) / 0 and returns 
_L otherwise. We require that any such efficient adversary has only a negligible probability in distin- 
guishing between the ciphertexts of two different messages encrypted under the challenge attribute 
x*. Formally, security is captured by the following definition. 

Definition 2.1 (Selectively-secure ABE). An ABE scheme n = (Setup, Keygen, Enc, Dec) for a 
class of functions T\ = {/ : X\ — > y x } is selectively secure if for all probabilistic polynomial-time 
adversaries A where A = (Ai, A2, A3), there is a negligible function u(X) such that 



Adv?& BE (A) = Pr[EXPr B in,x(A) = lj - Pr [EXP^ E , n ^(A) = lj < v{\), 

where for each b G {0, 1} and A G N the experiment EXP[b Eii ^(A) is defined as follows: 

1. (x*,statei) <r- Ai{\), where x* € X\ 1 1 A commits to challenge index x* 

2. (mpk, msk) ^— Setup(A) 

3. (/xo, /xi,state2) ^— ^ G ^ msk ' x ''-'(mpk, statei) //A outputs messages fJ,o,fJ,i 

4. c* <r- Enc(mpk, x*,fi b ) 

5. b' ^3 G{msk ' x *'' ) (c*,state 2 ) // A outputs a guess b' for b 

6. Output b' e {0, 1} 

where KG(msk, x*,f) returns a secret key sky = Keygen(msk, /) if f(x*) / 0 and _L otherwise. 

A fully secure ABE scheme is defined similarly, except that the adversary can choose the chal- 
lenge attribute x* after seeing the master public key and making polynomially many secret key 
queries. The following lemma, attributed to [BB11], says that any selectively secure ABE scheme 
is also fully secure with an exponential loss in parameters. 

Lemma 2.2. For any selectively secure ABE scheme with attribute vectors of length I = £(X), there 
is a negligible function u{\) such that Advfj^^A) < 2^ A ) • v{\). 



>(o) 
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2.2 Background on Lattices 

Lattices. Let q,n,m be positive integers. For a matrix A G 2™ xm we j et A^-(A) denote the 
lattice {x G Z m : Ax = 0 in Z g }. More generally, for u £ ZJ we let A"(A) denote the coset 
{x£Z m : Ax = u in Z q }. 

We note the following elementary fact: if the columns of Ta G Z mxm are a basis of the lattice 
A^-(A), then they are also a basis for the lattice A^(xA) for any nonzero x G Z q . 

Learning with errors (LWE) [Reg05]. Fix integers n,m, a prime integer q and a noise dis- 
tribution x over ^- The (n, m, g, x)-LWE problem is to distinguish the following two distributions: 

(A, A T s + e) and (A, u) 

where A <— Z™ xm , s <— Z™, e «— x" 1 , u «— Z™ are independently sampled. Throughout the paper 
we always set m = 0(nlogg) and simply refer to the (n, q, %)-LWE problem. 

We say that a noise distribution % is i?-bounded if its support is in [-B, B\. For any fixed d > 0 
and sufficiently large q, Regev [Reg05] (through a quantum reduction) and Peikert [Pei09] (through 
a classical reduction) show that taking x as a certain g/n d -bounded distribution, the (n, q, x)-LWE 
problem is as hard as approximating the worst-case GapSVP to factors, which is believed to 

be intractable. More generally, let x max < q be the bound on the noise distribution. The difficulty 
of the LWE problem is measured by the ratio (//x max . This ratio is always bigger than 1 and the 
smaller it is the harder the problem. The problem appears to remain hard even when q/x™^ < 2 n " 
for some fixed e G (0, 1/2). 

Matrix norms. For a vector u we let ||u|| denote its £2 norm. For a matrix R G Z fcxm , let R be 
the result of applying Gram-Schmidt (GS) orthogonalization to the columns of R. We define three 
matrix norms: 

• ||R|| denotes the £2 length of the longest column of R. 

• ||R||gs = ||R|| where R is the GS orthogonalization of R. 

• ||R||2 is the operator norm of R defined as ||R|| 2 = sup|| x || =1 ||Rx||. 
Note that ||R|| GS < ||R|| < ||R|| 2 < Vk\\K\\ and that ||R ■ S|| 2 < ||R|| 2 • ||S|| 2 . 
We will use the following algorithm, throughout our paper: 

BD(A) — > R where m = n\\ogq\: a deterministic algorithm that takes in a matrix A G Zg Xm 
and outputs a matrix R G Z™ xm , where each element a G 7L q that belongs to the matrix A 

gets transformed into a column vector r G z[ log ^, r = [ao, ■■■, a \iogq']-i] T ■ Here aj is the i-th 
bit of the binary decomposition of a ordered from LSB to MSB. 

Claim 2.3. For any matrix A G Z" xm , matrix R = BD(A) has the norm ||R|| 2 <m and ||R T || 2 < 
m. 
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Trapdoor generators. The following lemma states properties of algorithms for generating short 
basis of lattices. 

Lemma 2.4. Let n,m,q > 0 be integers with q prime. There are polynomial time algorithms with 
the properties below: 

• TrapGen(l n ,l m ,g) — > (A,T A ) ([Ajt99, AP09, MP12]): a randomized algorithm that, when 
m = O(nlogg), outputs a full-rank matrix A G Z" xm and basis Ta G Z mxm for A^-(A) such 
that A is negl(n)-close to uniform and ||T|| GS = 0{\Jn logg), with all but negligible probability 
in n. 

• ExtendRight(A, Ta, B) — > T(a|b) ([CHKP10]): a deterministic algorithm that given full- 
rank matrices A, B G ^™ xm an d a basis Ta o/A^-(A) outputs a basis T( A |b) of (A|B) 
such that ||Ta||gs = ||T(a|b) ||gs- 

• ExtendLeft(A, G, T G , S) — > T H where H = (A | G + AS) ([ABB 10]): a deterministic 
algorithm that given full-rank matrices A, G G Z™ xm and a basis Tq of A^-(G) outputs a 
basis T H o/A^-(H) suc/i i/iai ||T H |U < ||T G |U ■ (1 + ||S|| 2 ). 

• For m = n[~logg] there is a fixed full-rank matrix G G Z" xm s.i. i/ie lattice A^-(G) /ias a 
publicly known basis Tq G Z mxm w/ii/i ||Tg||gs < v^5- ^ e matrix G is stic/i i/iai /or any 
matrix A G Z" xm ; G • BD(A) = A. 

To simplify the notation we will always assume that the matrix G from part 4 of Lemma 2.4 has 
the same width m as the matrix A output by algorithm TrapGen from part 1 of the lemma. We 
do so without loss of generality since G can always be extended to the size of A by adding zero 
columns on the right of G. 

Discrete Gaussians. Regev [Reg05] defined a natural distribution on A" (A) called a discrete 
Gaussian parameterized by a scalar a > 0. We use P CT (A"(A)) to denote this distribution. For a 
random matrix A G Z™ xm and a = Q(y/n), a vector x sampled from P CT (A"(A)) has £2 norm less 
than o-yjm with probability at least 1 — negl(m). 

For a matrix U = (m| ■ ■ ■ |u fe ) G Z" xfc we let P (T (Aj J (A)) be a distribution on matrices in Z mxfe 
where the i-th column is sampled from P^A^A)) independently for i = 1, . . . , k. Clearly if R is 
sampled from P <7 (Aj J (A)) then AR = U in Z q . 

Lemma 2.5. For integers n,m,k,q,a > 0, matrices A G Z" xm and U G Z" xfc ; if R G Z mxfc is 
sampled from D cr (Aj J (A)) and S is sampled uniformly in {±i} mxm then 

||R T ||2 < oV mk , ||R|| 2 < crVmk , ||S|| 2 < 20y / m 
with overwhelming probability in m. 

Proof. For the {±1} matrix S the lemma follows from Litvak et al. [LPRTJ05] (Fact 2.4). For the 
matrix R the lemma follow from the fact that ||R T || 2 < Vk ■ ||R|| < y/k(a^/m). □ 
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Solving AX = U. We review algorithms for finding a low- norm matrix X G 27™ xfc suc h that 
AX = U. 

Lemma 2.6. Let A G Z" xm and T A G Z mxm be a basis for A;j-(A). Lei U G Z" xfc . T/iere are 
polynomial time algorithms that output X G Z mxA: satisfying AX = U with the properties below: 

• SampleD(A, Ta, U, <r) — > X ([GPV08]): a randomized algorithm that, when a = ||T^|| GS • 
w(v / logm), outputs a random sample X from a distribution that is statistically close to 
*MA?(A)). 

• RandBasis(A, Ta, cr) — > T' A ([CHKP10]): a randomized algorithm that, when a = HT^H^ • 
o;(v / log m), outputs a basis T A o/Aj~(A) sampled from a distribution that is statistically close 
to (V a (A^(A))) m . Note that ||T' A || GS < a \fm with all but negligible probability. 

Randomness extraction. We conclude with a variant of the left-over hash lemma from [ABB10] . 

Lemma 2.7. Suppose that m > (n+ 1) log 2 g + w(logn) and that q > 2 is prime. Let S be an mx k 
matrix chosen uniformly in {1,— l} mxfc mod q where k = k(n) is polynomial in n. Let A and B 
be matrices chosen uniformly in Z" xm and Z™ xfc respectively. Then, for all vectors e in Z™, the 
distribution (A, AS, S T e) is statistically close to the distribution (A, B, S T e). 

Note that the lemma holds for every vector e in Z™, including low norm vectors. 

Additional algorithms Throughout the paper we will use the following algorithms: 

Lemma 2.8. • SampleRight(A, Ta, B, U, a) : a randomized algorithm that given full-rank ma- 
trices A, B G Z" xm , matrix U G Z" xm ; a basis T A of A^-(A) and a = \\T A \\„ ■ u{^J\ogm), 
outputs a random sample X G ^ mxm from a distribution that is statistically close to D cr (A^ J ((A|B))). 
This algorithm is the composition of two algorithms: ExtendRight(A, Ta, B) — > T( A |b) an d 
SampleD((A|B),T (A |B),U, C T) — > X. 

• Samplel_eft(A, S, y, U, a) : a randomized algorithm that given full-rank matrix A G Z™ xm , ma- 
trices S,U G Z" xm , y / 0 G Z q and a = >/5-(l + ||S|| a )-w(>/Iogm), outputs a random sample 
X G Z^ mxm from a distribution that is statistically close to V a (A q J ((A\yG + AS))), where 
G is the matrix from Lemma 2.4, part 4- This algorithm is the composition of two algorithms: 
ExtendLeft(A,yG,T G ,S) — > T^g+as) and SampleD((A|yG+AS), T^g+as), U, a) — > 
X. 

2.3 Multilinear Maps 

Assume there exists a group generator Q that takes the security parameter 1 A and the pairing 
bound k and outputs groups G±, . . . , Gk each of large prime order q > 2 A . Let gi be the generator 
of group Gi and let g = gi- In addition, the algorithm outputs a description of a set of bilinear 
maps: 

{eij : Gi x Gj ->■ G i+j \ i,j > 1, i + j < k} 

satisfying eij(gf, g^) = gf^j for all a, b G Z 9 . We sometimes omit writing and for convince simply 
use e as the map descriptor. 
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Definition 2.9. [{k, ^-Multilinear Diffie-Hellman Exponent Assumption] The challenger runs Q(l^, k) 
to generate groups Gi, . . . , Gk, generators gi, . . . , g^ and the map descriptions e%y Next, it picks 
ci,C2, . ..,cjt € Zj at random. The (/c,£)-MDHE problem is hard if no adversary can distinguish 
between the following two experiments with better than negligible advantage in A: 

(g c \ ■ • • ,/v • • ,/ +2 , • • • , <f ? V 2 , • • • , g c \ P = gf U2 ^ kCl ) 

and 

(g c \...,g^,...,g^ +2 ,...,g c '\g c \...,g^,P) 
where j3 is a randomly chosen element in Gk- 

We note that if k = 2, then this corresponds exactly to the bilinear Diffie-Hellman Exponent 

C t+1 Yl Ci 

Assumption (BDHE). Also, is easy to compute g^ 2<»<fc-i » repeated pairing of the challenge 
components. 

3 Fully Key-Homomorphic PKE (FKHE) 

Our new ABE constructions are a direct application of fully key-homomorphic public-key encryption 
(FKHE), a notion that we introduce. Such systems are public- key encryption schemes that are 
homomorphic with respect to the public encryption key. We begin by precisely defining FKHE and 
then show that a key-policy ABE with short keys arises naturally from such a system. 

Let {A\}a6N and {3^a}asN be sequences of finite sets. Let {^\}AeN be a sequence of sets of 
functions, namely J-\ = {/ : X* — > 3^a} for some t > 0. Public keys in an FKHE scheme are pairs 
(x,f) £ y\ x J-\. We call x the "value" and / the associated function. All such pairs are valid 
public keys. We also allow tuples x G X^ to function as public keys. To simplify the notation we 
often drop the subscript A and simply refer to sets X, y and T . 

In our constructions we set X = 7L q for some q and let T be the set of £-variate functions on 7L q 
computable by polynomial size arithmetic circuits. 

Now, an FKHE scheme for the family of functions T consists of five PPT algorithms: 

• Setup FKHE (l A ) — > (mpk FKHE , msk PKHE ) : outputs a master secret key msk PKHE and public pa- 
rameters mpk PKHE . 

• KeyGen FKHE (msk PKHE , (y, /)) — > sk y j : outputs a decryption key for the public key (y,f) £ 

y x t. 

• EFKHE( m pk FK HEi x £ % i A*) — y c x : encrypts message \i under the public key x. 

• Eva I : a deterministic algorithm that implements key-homomorphism. Let c be an encryption 
of message \x under public key x G X*. For a function / : X* — >■ y G J- the algorithm does: 

Eval(/, x, c) — > c f 

where if y = f(xi, . . . , X() then cj is an encryption of message fx under public-key (y, /). 

• DpKHE^kyj, c) : decrypts a ciphertext c with key sk y j. If c is an encryption of fj, under public 
key (x,g) then decryption succeeds only when x = y and / and g are identical arithmetic 
circuits. 
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Algorithm Eva I captures the key-homomorphic property of the system: ciphertext c encrypted with 
key x = (x±, . . . , xe) is transformed to a ciphertext c/ encrypted under key (/(xi, . . . , xe), /) . 

Correctness. The key-homomorphic property is stated formally in the following requirement: 
For all (mpk FKHE , msk FKHE ) output by Setup, all messages [i, all / G J 7 , and x = (xi, ...,xt) G X 1 : 

If c <r- E F KHE(mpk PKHE , x G X e , //), y = f(x 1: . . . ,x e ), 

c f = Eval(/, x, c), sk «- KeyGen FKHE (msk FKH E, (y, /)) 
Then D FK HE(sk,c/) = //. 

An ABE from a FKHE. A FKHE for a family of functions J" = {/ : X e ->■ J 1 } immediately 
gives a key-policy ABE. Attribute vectors for the ABE are ^-tuples over X and the supported 
key-policies are functions in T . The ABE system works as follows: 

• Setup(l A ,^) : Run Setup FKHE (l A ) to get public parameters mpk and master secret msk. These 
function as the ABE public parameters and master secret. 

• Keygen(msk, /) : Output sk/ <- KeyGen FKHE (msk PKH E, (0,/)). 

Jumping ahead, we remark that in our FKHE instantiation (in Section 4), the number of bits 
needed to encode the function / in sky depends only on the depth of the circuit computing 
/, not its size. Therefore, the size of skf depends only on the depth complexity of /. 

• Enc(mpk, x G X , jj) : output (x, c) where c «— E F KHE(mpk FK HE) x > A*)- 

• Dec(skj, (x, c)) : if /(x) = 0 set Cf = Eval(/, x, c) and output the decrypted answer 

DFKHE(sk/,C/). 

Note that cj is the encryption of the plaintext under the public key (/(x), /). Since skj is 
the decryption key for the public key (0,/), decryption will succeed whenever /(x) = 0 as 
required. 



The security of FKHE systems. Security for a fully key-homomorphic encryption system is 
defined so as to make the ABE system above secure. More precisely, we define security as follows. 

Definition 3.1 (Selectively-secure FKHE). A fully key homomorphic encryption scheme n = 
(Setup FKHE , KeyGen FKHE , E F khe, Eva I) for a class of functions F\ = {f : X^ — > y\} is selectively 
secure if for all p.p.t. adversaries A where A = (Ai, A2, A3), there is a negligible function 
such that 



Adv^(A) 



def 



Pr 



Pr 



EXPW^A) = 1 < i/(A), 



EXPpKH En ^(A) — 1 

where for each b G {0, 1} and A G N the experiment EXP^he ,n .aW ^ s defined as: 

1. (x* G X[ (X \ statei) <- Ai(\) 

2. (mpk FKHE , msk FKHE ) <- Setup FKHE (A) 

3. (//0,/xi, state 2 )^4 GKH(mskFKHE ' a: *'' ) (mpl<FKH E , statei) 
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4. c* <- E FK HE(mpk PKHE , x*, /x 6 ) 

5. 6' <- ^ GKH(mskFKHE ' :E *' v) (c*, state 2 ) // ^ outputs a guess 6' for 6 

6. output b' G {0, 1} 

where KGkh ( ms ^FKHE; ^* j /) is an oracle that on input / G J 7 and y G 3^A) returns _L whenever 
/(x*) = y, and otherwise returns KeyGen FKHE (msk FKHE , (y, /)). 

With Definition 3.1 the following theorem is now immediate. 

Theorem 3.2. The ABE system above is selectively secure provided the underlying FKHE is se- 
lectively secure. 

4 An ABE and FKHE for arithmetic circuits from LWE 

We now turn to building an FKHE for arithmetic circuits from the learning with errors (LWE) 
problem. This directly gives an ABE with short private keys as explained in Section 3. Our 
construction follows the key-homomorphism paradigm outlined in the introduction. 

For integers n and q = q(n) let m = @(n\ogq). Let G G Z™ xm be the fixed matrix from 
Lemma 2.4 (part 4). For x G Z 9 , Be Z™ xm , s G Z£, and 6 > 0 define the set 

E SiJ (i,B) = {(iG + B) T s + eGZ; where ||e|| < <5} 

For now we will assume the existence of three efficient deterministic algorithms Eval p k, Eval c t, Eval s i 
that implement the key-homomorphic features of the scheme and are at the heart of the construc- 
tion. We present them in the next section. These three algorithms must satisfy the following prop- 
erties with respect to some family of functions T = {/ : (Z g ) £ — > Z q } and a function a T : Z — > Z. 

• Eval pk ( f€F, Be (Z" xm )^ ) — > Bj G Z" xm . 

• EvaU ( f € F, ((si,B i>Ci ))J =1 ) — > Cf G Z™. Here x t G Z„ B, G Z" xm and 
Cj G £? Sj 5(xj,Bj) for some seZJ and <5 > 0. Note that the same s is used for all Cj. The 
output Cf must satisfy 

c / G J B s , A (/(x),B / ) where B f = Eval pk (/, (B 1; . . . , B*)) 

and x = (xi, . . . , X(). We further require that A < 8 ■ a T (n) for some function a T {n) that 
measures the increase in the noise magnitude in cj compared to the input ciphertexts. 

This algorithm captures the key-homomorphic property: it translates ciphertexts encrypted 
under public- keys {xi}f =1 into a ciphertext Cf encrypted under public-key (/(x),/). 

• Eval sim ( feT, («, Si)) £ i=v A) — > S/ G Z™ xm . Here x* G Z 9 and S, G Z™ xm . With 
x* = (x*, . . . , x* ), the output Sj satisfies 

AS/ - /(x*)G = B/ where B f = Eval pk (/, (ASi - xJG, . . . , AS £ - xJG)) . 

We further require that for all / G J 7 , if Si, . . . , are random matrices in {±\} my - m then 
|| S/ 1| 2 < «jr(n) with all but negligible probability. 
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Definition 4.1. The deterministic algorithms (Eval p k, Eval ct , Eval s i m ) are a T -FKHE enabling for 
some family of functions T = {/ : (l^qY — > 1>q\ if there are functions q = q(n) and a T = a T {n) for 
which the properties above are satisfied. 

We want «j-FKHE enabling algorithms for a large function family T and the smallest possible 
a T . In the next section we build these algorithms for polynomial-size arithmetic circuits. The 
function a T (n) will depend on the depth of circuits in the family. 

The FKHE system. Given FKHE-enabling algorithms (Eval p k, Eval ct , Eval s i m ) for a family of 
functions T = {/ : (Z g ) e Z q } we build an FKHE for the same family of functions T . We prove 
selective security based on the learning with errors problem. 

• Parameters : Choose n and q = q(n) as needed for (Eval p k, Eval c t, Eval s i m ) to be a^-FKHE 
enabling for the function family T . In addition, let x be a Xmax-bounded noise distribution 
for which the (n, q, x)-LWE problem is hard as discussed in Appendix 2.2. As usual, we set 
m = O(nlogg). 

Set a = uj{ajr ■ \/log m). We instantiate these parameters concretely in the next section. 
For correctness of the scheme we require that a 2 F ■ m < ^ - (g/Xmax) an d ol t > *Jn log m . 

• Setup FKHE (l A ) — > (mpk FKHE , msk PKHE ) : Run algorithm TrapGen(l™, l m , q) from Lemma 2.4 
(part 1) to generate (A, T^) where A is a uniform full-rank matrix in Z" xm . 

Choose random matrices D, Bi, . . . , 6 Z™ xm and output a master secret key msk FKHE and 
public parameters mpk FKHE : 

m P k PKHE = (A,D,Bi, . . . ,B e ) ; msk F KHE = (T A ) 

• KeyGen FKHE (msk PKHE , (y,f))^skyj : Let B 7 = Eval pk (/, (B u . . . ,B e )). 

Output sky j := R/ where R/ is a low-norm matrix in z 2mxm sampled from the discrete 
Gaussian distribution V a (A^(A\yG + B f )) so that (A|yG + B f ) ■ K f = D. 

To construct Rj run algorithm SampleRight(A, Ta, yG + Bf, D, a) from Lemma 2.8, part 1. 
Here a is sufficiently large for algorithm SampleRight since a = ||Ta||gs " ^W^ogm), where 
IITaIIos = 0( v / rnog^). 

Note that the secret key sk y j is always in 'Z 2mxm independent of the complexity of the 
function /. We assume sk y j also implicitly includes mpk FKHE . 

• EpKHE(mpk FKHE , x G X , fij — > c x : Choose a random n dimensional vector s <— and 
error vectors eo, ei ^— x m ■ Choose t uniformly random matrices Sj <— { = hl} mxm for i € [£]. 
Set H G %T {£+1)m and e G Z^ +1)m as 

H = (A | xiG + Bi | ••• | x e G + B e ) G ^ x ( £+1 ) m 
e = (I m |S 1 |...|S,) T -e 0 eZf 1 '" 1 

Let c x = (H T s + e, D T s + ei + \q/2]fi) G Z^ +2 ^ m . Output the ciphertext c x . 
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• DFKHE( s ky,/> c ) ' c ^ e ^ ne encr ypti° n °f M under public key (x,g). If x 7^ y or / and 5 
are not identical arithmetic circuits, output _L. Otherwise, let c = (cj n ,ci, . . . , C£,c ou t) S 

Set c, = Eval ct (/, {(xi, Bj, Cj)}f =1 ) G Z™. 

Let c'j = (cj„|cj) G Z 2m and output Round(c OMt - Rjc^) G {0, l} m . 
This completes the description of the system. 

Correctness. The correctness of the scheme follows from our choice of parameters and, in par- 
ticular, from the requirement a 2 F ■ m < ^ ■ (g/x max ). Specifically, to show correctness, first note 
that when /(x) = y we know by the requirement on Eval ct that cj is in E St &(y,Hf) so that 
Cf = yG + Bjs + e with ||e|| < A. Consequently, 

c' f = (c in \c f ) = (A|yG + B/) T s + e' where ||e'|| < A + x mM < (a T + l)x max ■ 

Since R/ G Z 2mxm is sampled from the distribution £> CT (A^(A|yG + B f )) we know that (A|yG + 
Hf) ■ R/ = D and, by Lemma 2.5, ||Rj||2 < 2mo~ with overwhelming probability. Therefore 

c out - Rjc'f = (D T s + ei) - (D T s + Rje') = ei - Rje' 

and ||ei — Rje'|| < % max + 2ma ■ (a T + l)x max < 3o£ • x max ■ fn with overwhelming probability. 
By the bounds on % this quantity is less than q/4 thereby ensuring correct decryption of all bits 
of ^G {0,l} m . 

Security. Next we prove that our FKHE is selectively secure for the family of functions T for 
which algorithms (Eval p k, Eval ct , Eval s i m ) are FKHE-enabling. 

Theorem 4.2. Given the three algorithms (Eval^, Eval cf , Eval s j m ) for the family of functions T , the 
FKHE system above is selectively secure with respect to F, assuming the (n,q,x)-LWE assumption 
holds where n, q, \ are the parameters for the FKHE. 

Proof idea. Before giving the complete proof we first briefly sketch the main proof idea which 
hinges on the properties of algorithms (Eval p k, Eval c t, EvaUm) and also employs ideas from [CHKP10, 
ABB10]. We build an LWE algorithm B that uses a selective FKHE attacker A to solve LWE. B 
is given an LWE challenge matrix (A|D) G Z™ x2m and two vectors Cj n ,c ou t G Z™ that are either 
random or their concatenation equals (A|D) T s + e for some small noise vector e. 

A starts by committing to the target attribute vector x = (x*, . . . , x|) G 7h s q . In response B 
constructs the FKHE public parameters by choosing random matrices S\, . . . , S| in {±1 } mxm anc i 
setting Bj = AS* — x*G. It gives A the public parameters mpk FKHE = (A, D, Bi, . . . , B^). A 
standard argument shows that each of AS* is uniformly distributed in Z™ xm so that all Bj are 
uniform as required for the public parameters. 

Now, consider a private key query from A for a function / G T and attribute y G Z 9 . 
Only functions / and attributes y for which y* = /(x*,...,x|) 7^ y are allowed. Let Bj = 
Evalpk (/, (Bi, . . . , B^)). Then B needs to produce a matrix R/ in Z 2mxm satisfying (A|B/)-R/ = 
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D. To do so B needs a recoding matrix from the lattice A^-(F) where F = (A|B/) to the lattice 
A^"(D). In the real key generation algorithm this short basis is derived from a short basis for A^"(A) 
using algorithm SampleRight. Unfortunately, B has no short basis for A;j~(A). 

Instead, as explained below, B builds a low-norm matrix S/ G ^rnxm guc j 1 ^ nat B/ = AS/— y*G. 
Because y* / y, algorithm B can construct the required key as R/ «— SampleLeft(A, S/, (y — 

y*),D,<x). 

The remaining question is how does algorithm B build a low-norm matrix S/ G ^™ xm such 
that B/ = AS/ — y*G. To do so ,6 uses Eval s j m giving it the secret matrices S*. More precisely, B 

runs Eval s i m (/, ((x*, S*)). =1 , A) and obtains the required S/. This lets B answer all private key 
queries. 

To complete the proof it is not difficult to show that B can build a challenge ciphertext c* 
for the attribute vector x G Z^ that lets it solve the given LWE instance using adversary A. An 
important point is that B cannot construct a key that decrypts c*. The reason is that it cannot 
build a secret key sk^j for functions where /(x*) = y and these are the only keys that will decrypt 
c*. 

Proof of Theorem 4.2. The proof proceeds in a sequence of games where the first game is iden- 
tical to the ABE game from Definition 2.1. In the last game in the sequence the adversary has 
advantage zero. We show that a PPT adversary cannot distinguish between the games which will 
prove that the adversary has negligible advantage in winning the original ABE security game. The 
LWE problem is used in proving that Games 2 and 3 are indistinguishable. 

Game 0. This is the original ABE security game from Definition 2.1 between an attacker A against 
our scheme and an ABE challenger. 

Game 1. Recall that in Game 0 part of the public parameters mpk are generated by choosing 
random matrices Bi, . . . , B^ in Z" xm . At the challenge phase (step 4 in Definition 2.1) a challenge 
ciphertext c* is generated. We let S*, . . . , S| € {—1, l} mxrrt denote the random matrices generated 
for the creation of c* in the encryption algorithm Enc. 

In Game 1 we slightly change how the matrices Bi, . . . , B^ are generated for the public param- 
eters. Let x* = (x*, . . . , x*f) G Zg be the target point that A intends to attack. In Game 1 the 
random matrices S*, . . . , S*. in {±1 } mxm are chosen at the setup phase (step 2) and the matrices 
Bi, . . . , Bi are constructed as 

B,:=AS*-x*G (2) 

The remainder of the game is unchanged. 

We show that Game 0 is statistically indistinguishable from Game 1 by Lemma 2.7. Observe 
that in Game 1 the matrices S* are used only in the construction of Bj and in the construction of the 
challenge ciphertext where e := (I m |S*| • • • IS^) 7 • eo is used as the noise vector for some eo G Z™. 
Let S* = (S*| • • • |S|), then by Lemma 2.7 the distribution (A, AS*, e) is statistically close to the 
distribution (A, A', e) where A' is a uniform matrix in ^™ x ^ m . it follows that in the adversary's 
view, all the matrices A S* are statistically close to uniform and therefore the Bj as defined in (2) 
are close to uniform. Hence, the Bj in Games 0 and 1 are statistically indistinguishable. 

Game 2. We now change how A in mpk is chosen. In Game 2 we generate A as a random matrix 
in Z™ xm . The construction of Bi, . . . , B^ remains as in Game 1, namely B« = A S* — x*G. 

The key generation oracle responds to private key queries (in steps 3 and 5 of Definition 2.1) 
using the trapdoor Tq- Consider a private key query for function / G T and element y G y . Only 
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/ such that y* = f{x\, . . . , xV) 7^ y are allowed. To respond, the key generation oracle computes 
By = Eval p k(/, (Bi, . . . , B^)) and needs to produce a matrix Rj in z 2mxm satisfying 

(A|yG + B / )-R / = D in Z q . 

To do so the key generation oracle does: 

• It runs Sf <r- Eval s i m (/, {(x*, S*)J ._ 15 A) and obtains a low-norm matrix Sf G Z™ xm such 
that AS/ - y*G = Bf. By definition of Eval s ; m we know that ||Sy||2 ^ oljt. 

• Finally, it responds with Rj = SampleLeft(A, Sf, y, D, a). By definition of SampleLeft we 
know that R/ is distributed as required. Indeed because ||Sj|| 2 < a T {n), a = y/h ■ (1 + 
||S/|| 2 ) • uj(\f\ogm) as needed for algorithm SampleLeft in Lemma 2.8, part 2. 

Game 2 is otherwise the same as Game 1. Since the public parameters and responses to private 
key queries are statistically close to those in Game 1, the adversary's advantage in Game 2 is at 
most negligibly different from its advantage in Game 1. 

Game 3. Game 3 is identical to Game 2 except that in the challenge ciphertext (x*, c*) the vector 
c* = (c m |ci| • • • |c£|c OU () G zj^ +2 ^ m is chosen as a random independent vector in zj^ +2 ^"\ Since the 
challenge ciphertext is always a fresh random element in the ciphertext space, A's advantage in 
this game is zero. 

It remains to show that Game 2 and Game 3 are computationally indistinguishable for a PPT 
adversary, which we do by giving a reduction from the LWE problem. 

Reduction from LWE. Suppose A has non-negligible advantage in distinguishing Games 2 and 3. 
We use A to construct an LWE algorithm B. 



LWE Instance. B begins by obtaining an LWE challenge consisting of two random matrices A, D 
in Z™ xm and two vectors c m , c out in Z™. We know that c m , c out are either random in Z™ or 

c m = A T s + e 0 and c OMt = D T s + ei (3) 



for some random vector s G Z" and eo,ei ^— \ m - Algorithm B's goal is to distinguish these 
two cases with non-negligible advantage by using A. 

Public parameters. A begins by committing to a target point x = (x*,...,x^) G ZJ™ where 
it wishes to be challenged. B assembles the public parameters mpk as in Game 2: choose 
random matrices S*, . . . ,S| in {±l} mxm and set Bj = AS* - x*G. It gives A the public 
parameters 

mpk= (A,D,Bi,...,B £ ) 

Private key queries. B answers .A's private- key queries (in steps 3 and 5 of Definition 2.1) as in 
Game 2. 

Challenge ciphertext. When B receives two messages Ho,H\ G {0, l} m from A, it prepares a 
challenge ciphertext by choosing a random b <— {0, 1} and computing 

c* 0 = (i m |s;|...|s;) T - Cin ezf +1 » ra (4) 
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and c* = (cq, c out + \q/2\^) G . B sends (x*,c*) as the challenge ciphertext to A. 

We argue that when the LWE challenge is pseudorandom (namely (3) holds) then c* is 
distributed exactly as in Game 2. First, observe that when encrypting (x*, ^ib) the matrix H 
constructed in the encryption algorithm Enc is 

H = (A | x\G + Bi | • • • | x\G + B e ) 

= (A | x\G + (AS! - x\G) | • • • | x* e G + (ASJ - x}G)) = (A | ASJ | • • • | AS J) 

Therefore, Cq defined in (4) satisfies: 

c* 0 = (I m |Sl|...|S|) T -(A T s + e 0 ) 

= (A|ASJ | ••• | AS^) T • s + (I m |S^| • • • |S^*) T • e 0 = H T s + e 

where e = (I m |Sj| • • • |S|) T • eo- This e is sampled from the same distribution as the noise 
vector e in algorithm Enc. We therefore conclude that Cq is computed as in Game 2. Moreover, 
since c out = D T s + ei we know that the entire challenge ciphertext c* is a valid encryption 
of (x*,/Xb) as required. 

When the LWE challenge is random we know that C; m and c out are uniform in Z™ . Therefore 

the public parameters and Cq defined in (4) are uniform and independent in Z^ +1 ^ m by a 
standard application of the left over hash lemma (e.g. Theorem 8.38 of [Sho08]) where the 
universal hash function is defined as multiplication by the random matrix (A T |cj n ) T . Since 

c ou t is also uniform, the challenge ciphertext overall is uniform in zj^ +2 ^ m , as in Game 3. 

Guess. Finally, A guesses if it is interacting with a Game 2 or Game 3 challenger. B outputs JVs 
guess as the answer to the LWE challenge it is trying to solve. 

We already argued that when the LWE challenge is pseudorandom the adversary's view is as 
in Game 2. When the LWE challenge is random the adversary's view is as in Game 3. Hence, 
£Ts advantage in solving LWE is the same as „4's advantage in distinguishing Games 2 and 3, as 
required. This completes the description of algorithm B and completes the proof. ■ 

Remark 4.3. We note that the matrix Ry in KeyGen FKHE can alternatively be generated using 
a sampling method from [MP 12]. To do so we choose FKHE public parameters as we do in the 
security proof by choosing random matrices Sj, . . . , in {±i} mxm anc l setting Bj = AS«. We 
then define the matrix Bj as Bj := AS/ where Sf = Eval s i m (/, ((0, Sj))f =1 , A). We could 
then build the secret key matrix sk y j = Rj satisfying (A|yG + By) • R/ = D directly from the 
bit decomposition of D/y. Adding suitable low-norm noise to the result will ensure that sk y j is 
distributed as in the simulation in the security proof. Note that this approach can only be used to 
build secret keys sk y j when y ^ 0 where as the method in KeyGen FKHE works for all y. 

4.1 Evaluation Algorithms for Arithmetic Circuits 

In this section we build the FKHE-enabling algorithms (Eval p k, Eval ct , Eval s i m ) that are at the heart 
of the FKHE construction in Section 4. We do so for the family of polynomial depth, unbounded 
fan-in arithmetic circuits. 
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4.2 Evaluation algorithms for gates 

We first describe Eval algorithms for single gates, i.e. when Q is the set of functions that each takes 
k inputs and computes either weighted addition or multiplication: 



U 



a,ai,...,Qfet 



g(xi, ...,Xk) = a±xi + a 2 x 2 + . . . + a k x k 
g\g:Z k q ^Z q , or 

g(xi, . . . , x k ) = a ■ xi ■ x 2 ■ . ■ ■ ■ x k 



(5) 



We assume that all the inputs to a multiplication gate (except possibly one input) are integers in 
the interval [—p, p] for some bound p < q. 



We present all three deterministic Eval algorithms at once: 

771; 



Eval pk ( 5 G G, B G (Z^ m ) k ) — > B s G Z« xm 



Eval ct ( 5 GS, ((xi.B^Ci))*^)— >c fl 6Z; 
Eval sim (<7 G 0, ((x*,S,))* =1 , A) >■ S 9 G Z™ xm 

• For a weighted addition gate g(x\, . . . , x k ) = a\X\ + • • • + a k x k do: 
For i G [k] generate matrix Rj G ^mxm suc j 1 

GRj = ajG : Rj = BD(ajG) (as in Lemma 2.4 part 4). (6) 
Output the following matrices and the ciphertext: 

k k k 

B 9 = ^BjRi, S 9 = ^SiRj, c s = ^Rfcj (7) 

i=l i=l i=l 

• For a weighted multiplication gate g(x±, . . . , x k ) = ax\ ■ . . . ■ x k do: 

For i G [k] generate matrices Rj G Z™ xm such that 

GRi = aG : Ri = BD(aG) (8) 
GRj = -Bj iRj i : Rj = BD(-Bj_iRi_i) for all i € {2, 3, . . . , fe} (9) 

Output the following matrices and the ciphertext: 

k / k \ k I k \ 

b, = B fc R fc , s 9 = ^ n< s ^-> c 9 = e n x 0 r j<^ ( io ) 

For example, for k = 2, B g = B2R2, S g = X2S1R1 + S 2 R 2 , c g = xJjRfci + R^. 

For multiplication gates, the reason we need an upper bound p on all but one of the inputs X{ is 
that these Xi values are used in (10) and we need the norm of S g and the norm of the noise in the 
ciphertext c g to be bounded from above. The next two lemmas show that these algorithms satisfy 
the required properties to be FKHE-enabling. 

Lemma 4.4. Let f3 g (m) = km. For a weighted addition gate g(x) = a±x\ + . . . + a k x k we have: 
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1. Ifci G E s g(xi,~Bi) for some s £ Z™ and 5 > 0, thenc g £ E s ^(g(x),B g ) where A < f3 g (m)-8 
and B g = Eva\ pk (g, (Bi, . . . , B fe )). 

2. The output S g satisfies AS g — g(x*)G = B g where ||S 9 || 2 < P g (m) • maxj g [ fc ] ||Sj|| 2 
and B s = Eval pfc (g, (ASi - a^G, . . . , AS fc - x* k G)) . 

Proof. By Eq. 7 the output ciphertext is computed as follows: 

k k 

c g = ^2 R-F " c i = ^ ^ ' (y( Xi ^* + Bj) T s + = // substitute for Cj = (sjG + Bj) T s + 
i=i i=i 

fc k k 

= ^(xjGRj) T s + ^(BjRj) T s + y^(Rfej) = // break the product into components 

i=l i=l i=l 

= a^i G T s + Bjs + e g = II GRj = c^R; from Eq. 6 and B g = ^ BjRj from Eq. 7 



,i=i 



= [a(x)G + B g ] J s + e, 

(\ Lemma 2A,part 4 
IIRJII2 • Il e j|| ) < km- 8. 

This completes the proof of the first part of the lemma. 

In the second part of the lemma, by Eq. 7 the output matrix B g is computed as follows: 

k 

B g = ^2(AS t - x*G)Ki = II plu g-in matrices given in the lemma into Eq. 7 
i=i 

k k 

=A SjRj - «ix* G = AS 9 - g(x*)G // GR 8 = c^R, from Eq. 6 



i=i i=i 



Lemma 2A,part 4 

Then ||S 9 || 2 = |E i=1 S;Rj|| 2 < k ■ max i6[fc] (||Sj|| 2 • ||Ri|| 2 ) < km ■ max ig[fc] (||Sj|| 2 ) 

as required. □ 

The next Lemma proves similar bounds for a multiplication gate. 

Lemma 4.5. For a multiplication gate g(x) = a nf=i x i we have the same bounds on c g and S g 

^ l 

as in Lemma 4-4 with /3 g (m) = p p Z l m. 
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Proof. Set e g = Ylj=i (Yli=j+i x «) ^-J e j- Then the output ciphertext is computed as follows: 

k I k \ k I k \ 

c g = ^2 I I J x i J R-J c i = E I J [ x i J Rj + Bj) 1, s + e^j = I) substitute for Cj 



j=i \i=j+i 
k 



j=i \i=j+i 

k I k 



j=2 \i=j 
T 



\i=l 
' k 



s + e g = If regroup 



Y[ Xi GRi + B fc R A 



s + e g = If use Eq. 9 to cancel terms 



[ff(x)G + B g ] T s + e g II use the facts GRi = aG (Eq. 8), B g = B k H k (Eq. 10) 



The bound on the noise ||e s || is: 



k I k 

£ n * I * 

j=l \i=j+l 



■J e J 



<(l +p+ ...+pfc-i) . m ^[\\Rj\\ 2 .\\ ej \ 



Lemma. 2.3 — \ 



< 



■5 



This completes the first part of the lemma. In the second part of the lemma, the output matrix 
B g is computed as follows: 



B g =(AS fc - x k G)B k 



Eq. 9 



// by (9) we have GR fc = -(AS fc _i - x fc _iG)R fe _i 



= (ASfeRfc + XfcASfc_iRfc_i — x k ■ ifc-iGRn) = ... = 

= (AS fe R fc + XfcASfe-iRfe-i + x k ■ AS fe -2Rfc-2 + • • • + (-xi ■ ■ ■ x k GKi)) 
= {AS g - ax! ■ ■ ■ x k G) = (AS 9 - g(x)G) 

Moreover, the bound on the norm of S g is: 

k I k \ 

e n A s ^ 

j=l \i j • I / 

( \ Lemma. 2.3 jy^ — 1 
1 + p + ... +p k ~ 1 ) max(||Si|| a • ||R;iy < -//; max(||S, 



Eq. 8 



>g\\2 



ie[k] 



p - 1 ie[k] 



as required. 



□ 



4.3 Evaluation algorithms for circuits 

We will now show how using the algorithms for single gates, that compute weighted additions and 
multiplications as described above, to build algorithms for the depth d, unbounded fan-in circuits. 

Let {Ca}agn be a family of polynomial-size arithmetic circuits. For each C € C\ we index the 
wires of C following the notation in [GVW13]. The input wires are indexed 1 to £, the internal 
wires have indices £+l,£ + 2, . . . ,\C\ — 1 and the output wire has index \C\ , which also denotes the 
size of the circuit. Every gate g w : Z^™ — > Z q (in Q as per 5) is indexed as a tuple (w\, . . . , w kw ,w) 
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where k w is the fan-in of the gate. We assume that all (but possibly one) of the input values to 
the multiplication gates are bounded by p which is smaller than scheme modulus q. The "fan-out 
wires" in the circuit are given a single number. That is, if the outgoing wire of a gate feeds into 
the input of multiple gates, then all these wires are indexed the same. For some A G N, define the 
family of functions T = {/ : / can be computed by some C G C\}. Again we will describe the three 
Eva I algorithms together, but it is easy to see that they can be separated. 

Eval pk (/ G F, B G (Z£*™)< ) — > B f G Z« xm 
EvaUCfGJ-, (te.Bi.Ci))^)— > C/ 6Z™ 
Eval sim (/ G T, OJ.SO)^, A) > Sf G Z™ xm 

Let / be computed by some circuit C G C\, that has t input wires. We construct the required 
matrices inductively input to output gate-by-gate. 

For all w G [C] denote the value that wire w carries when circuit C is evaluated on x or x* to be 
x w or x* w respectively. Consider an arbitrary gate of fan-in k w (we will omit the subscript w where 
it is clear from the context): (wi, ... ,Wk,w) that computes the function g w : Z^ — > Z 9 . Each wire 
Wi caries a value x Wi . Suppose we already computed B TOl , . . . , , S Wl , . . . , S Wk and c Wl , . . . , c Wk , 
note that if w\ , . . . , Wk are all in {1, 2, . . . , £} then these matrices and vectors are the inputs of the 
corresponding Eva I functions. 

Using Eval algorithms described in Section 4.2, compute 

B w = Eva\ pk (g w , (B W1 , ... , B Wfc )) 
c w = Eval c t(<7uj, (( x u>i j ~Bwi j c Wi ))j =1 ) 
Sto = Eval s ; m ((7 w , ^w«))j=i) 

Output Bj := B| C |, := C| C |, Sj := S|c|. Next we show that these outputs satisfy the required 
properties. 

Lemma 4.6. Let f3(m) = ^£^m. // Cj G E Sj s(xi, Bj) /or some s G Z^ and 5 > 0, t/ien 
c / €S BiA (/(x),B / ) w/iere A < ((3{m)) d ■ 5 and B f = Eva\ pk (f, (B 1; . . . , B e )). 

Proof. By Lemma 4.4 and 4.5, after each level of the circuit the noise is multiplied by f3 gw (m), 
which is upperbounded by (3(m) and the total number of levels is equal to the depth d of the 
circuit. The lemma follows. □ 

Lemma 4.7. Let f3{m) be as defined in Lemma 4-6- If Si, . . . , are random matrices in | = | = i} m - xm ; 
then the output Sf satisfies AS/ — /(x*)G = Bf where ||S/|| 2 < (fi(m)) d ■ 20-^/m and 
B / = Eval pfc (/, (ASi-x;G,...,AS/-x;G)) . 

Proof. Since the input Sj for i G [£] are random matrices in { = | = i} mxm ) by Lemma 2.5 for all i G [£], 
||Sj|| 2 < 20-y/m. By Lemma 4.4 and 4.5, after each level of the circuit the bound on S gets multiplied 
by at most (3(m), therefore after d levels, which is the depth of the circuit, the bound on the output 
matrix will be ||Sj|| 2 < (f3(m)) d ■ 20-^/m. The lemma follows. □ 

In summary, algorithms (Eval p k, Eval ct , Eval s i m ) are a^r-FKHE enabling for 

a T (n) = (j3(m)) d ■ 20y/m = 0((p k ~ 1 m) d y/m) , where m = @(n\ogq). (11) 
This is sufficient for polynomial depth arithmetic circuits as discussed in the introduction. 
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4.4 ABE with Short Secret Keys for Arithmetic Circuits from LWE 

The FKHE for a family of functions T = {/ : (Zg) £ — > Z q } we constructed in Section 4 immediately 
gives a key-policy ABE as discussed in Section 3. For completeness we briefly describe the resulting 
ABE system. 

Given FKHE-enabling algorithms (Evalp^, Eval ct , Eval s i m ) for a family of functions T from Sec- 
tion 4.1, the ABE system works as follows: 

• Setup(l A ,f): Choose n, q, %,m and a as in "Parameters" in Section 4. 

Run algorithm TrapGen(l n , l m ,q) (Lemma 2.4, part 1) to generate (A, Ta). 
Choose random matrices D, Bi, . . . , G Z" xm and output the keys: 

mpk=(A,D,Bi,...,B / ) ; msk = (T A , D, Bi, . . . , B t ) 

• Keygen(msk, /): Let B/ = Eval pk (/, (Bi, . . . , B^)). 

Output skj := Rj where Rj- is a low- norm matrix in J J 2mxm sampled from the discrete 
Gaussian distribution £> CT (A^(A|B/)) so that (A|B/) • R/ = D. 

To construct R/ run algorithm SampleRight(A, Ta, yG + B/, D, a) from Lemma 2.8, part 1. 

Note that the secret key sky is always in Z 2mxm independent of the complexity of the func- 
tion /. 

• Enc(mpk, x G Z^, /u G {0, l} m ): Choose a random vector s ^— and error vectors eo,ei 
X m - Choose £ uniformly random matrices Sj «— {±l} mxm for % G [£]. Set 

H = (A | xiG + Bi | ■■■ | x £ G + B e ) e z^{t+i) m 
e = (I m |Si|...|S / ) T -e 0 £Zj' +1 ) m 

Output c = (H T s + e, D T s + ei + \q/2]n) G Z? +2)m . 

• Dec(skj, (x, c)) : If /(x) ^ 0 output _L. Otherwise, let the ciphertext c = (cj n , ci, . . . , ce, c out ) G 
4' +2)m , set c, = Eval ct (/, B,, Ci )}f =1 ) G Z™. 

Let c'j = (cj n |c/) G Z 2m and output Round(c OMt - Rjc^) G {0, l} m . 

This completes the description of the system. The proof of the following security theorem follows 
from Theorems 4.2 and 3.2. 

Theorem 4.8. For FKHE-enabling algorithms (Evalpfc, Eval c t, Eval s j TO ) for the family of functions 
J 7 , the ABE system above is correct and selectively-secure with respect to T , assuming the (n,q,x)- 
LWE assumption holds where n, q, x are the parameters for the FKHE-enabling algorithms. 

5 Extensions 
5.1 Key Delegation 

Our ABE easily extends to support full key delegation. We first sketch the main idea for adding 
key delegation and then describe the resulting ABE system. 
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In the ABE scheme from Section 4.4, a secret key for a function / is a matrix Rj that maps 
(A|Bj) to some fixed matrix D. Instead, we can give as a secret key for / a trapdoor (i.e. a 
short basis) Tp for the matrix F = (A|Bj). The decryptor could use Tp to generate the matrix 
Ft/ herself using algorithm SampleD. Now, for a given function g, to construct a secret key that 
decrypts whenever the attribute vector x satisfies /(x) = g(x) = 0 we extend the trapdoor for 
F into a trapdoor for (F|B S ) = (A|Bj|B 9 ) using algorithm ExtendRight. We give a randomized 
version of this trapdoor as a delegated secret key for / A g. Intuitively this trapdoor can only be 
used to decrypt if the decryptor can obtain the ciphertexts under matrices B f and B s which by 
security of ABE can only happen if the ciphertexts was created for an attribute vector x satisfying 
/(x) = <7(x) = 0. 

The top level secret key generated by Keygen is a (2m x 2m) matrix in Z. After k delegations the 
secret key becomes a ((k + l)m x (k + l)m) matrix. Hence, the delegated key grows quadratically 
with the number of delegations k. 



Definition. Formally, a delegatable attribute-based encryption (DABE) scheme is an attribute- 
based encryption scheme that in addition to four standard algorithms (Setup, Keygen, Enc, Dec) 
offers a delegation algorithm Delegate. Consider a ciphertext c encrypted for index vector x. The 
algorithm Keygen returns the secret key skf for function / and this key allows to decrypt the 
ciphertext c only if /(x) = 0. The delegation algorithm given the key skf and a function g outputs 
a "delegated" secret key that allows to decrypt the ciphertext only if /(x) = OA <?(x) = 0, which 
is a more restrictive condition. The idea can be generalized to arbitrary number of delegations: 

Delegate(mpk,s/c /lv .. Jfc ,/ fe+1 ) -»• sk fu „_ Jk+1 : 

Takes as input the master secret key msk, the function fk+i G T and the secret key skf u ...j k 
that was generated either by algorithm Keygen, if k = 1 or by algorithm Delegate, if k > 1. 
Outputs a secret key sk/ li ...j k+1 - 

Correctness. We require the scheme to give a correct ABE as discussed in Section 2.1 and in 
addition to satisfy the following requirement. For all sequence of functions f±, . . . , fk £ J 7 , a message 
m G M and index x 6 lA, s.t. /i(x) = 0 A ... A /jt(x) = 0 it holds that \i = Dec(skf lv ..j fc , (x, c)) 
with an overwhelming probability over the choice of (mpk, msk) <— Setup(l A ,^), c <- Enc(mpk, x € 
X e , fi), sk fl 4- Keygen ( msk, /i) and sk fl: ,„j i+1 <- Delegate(mpk, sk flr ,_ jfi , f i+1 ) for all i G [A;]. 

Security. The security of DABE schemes is derived from definition of selective security for ABE 
scheme (see Definition 2.1) by providing the adversary with access to a key-generation oracle. 

Definition 5.1 (Selectively-secure DABE). A DABE scheme II = (Setup, Keygen, Enc, Dec, Delegate) 

for a class of functions F = {J 7 \}\<=n with £ = £(X) inputs over an index space X = {^f}AeN and a 
message space M = {A^a}agn is selectively secure if for any probabilistic polynomial-time adversary 
A, there exists a negligible function u(\) such that 



Advfn Bt (A) = Pr Exptg" n ,(A) = 1 - Pr Expt^ ABEM JX) = 1 < u(X), 



sDABE,n,yl 



where for each b £ {0, 1} and A G N the experiment Expt[^ ABE n ^(A) is defined as follows: 
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1. (x*,statei) <- A(X), where x* G X 1 . 

2. (mpk, msk) «— Setup(A). 

3. (/x 0 ,/xi,state 2 ) <- ^ KG ( msk,x *' - )(mpk,statei), where Ho,m G M\. 

4. c* <— Enc(mpk, x*,/x 6 ). 

5. 6' ^^l KG ( msk ' x *'-)(c*,state 2 ). 

6. Output 6' G {0,1}. 

Here the key-generation oracle KG(msk, x*, (/i, . . . , /&)) takes a set of functions /i, . . . , /& G J 7 and 
returns the secret key sk/ lv ..j fc if /i(x*) /0V...V/j(x*) ^0 and otherwise the oracle returns 
_L. The secret key skf lt ^j k is defined as follows: sk^ = KeyGen(msk, f\) and for all 
i€{2,...,k} sk fu _ tf . = Delegate(mpk,sk /l) ... )/ ._ 1 ,/ i ). 



5.1.1 A delegatable ABE scheme from LWE 

The DABE scheme will be almost identical to ABE scheme described earlier, except as a secret key 
for function / instead of recoding matrix from (A|Bj) to D we will give the rerandomized trapdoor 
for (A|Bj) and then the decryptor can build the recoding matrix to D himself. 

KeyGen(msk, /) : 

Let B / = Eval pk (/, (B l5 . . . , B € )). 

Build the basis T/ for F = (A|B/) G Z" x2m as T/ <- RandBasis(F, ExtendRight(A, T A , B f ), a), 
for big enough a = ||Ta||gs " ^(yjlog m) (we will set a as before: a = oj(a T ■ ylogm)). 
Output skf := Tj. 

Delegate(mpk,sk /l) ... Jfc ,5) : 

Parse the secret key skj, ^ as a matrix G ^( fc+1 ) mx ( fc+1 ) Tra w hich is a trapdoor for the 
matrix (A|B /l |...|B /fc )GZ^ x(fc+1)m . 
Let B g = Eval pk (<?, (Bi, . . . , B e )). 

Build the basis for matrix F = (A|B/J . . . |B /fc |B 9 ) G Zg X(k+2)m : 

T k+1 = RandBasis(F,ExtendRight((A|B /l |...|B /fc ),T fc ,B fl ),<7 fc ). 

Here a k = a • (y/m logm) k . Output sk^ lv „j fc)9 := T^ +1 G ;g( fc + 2 ) mx ( fc+2 )"\ Note that the size 
of the key grows quadratically with the number of delegations k. 

Dec(sk /lv .. i/fc , (x,c)) : If /i(x) / 0 V ... V / fe (x) / 0 output _L. 

Otherwise parse the secret key sk/ lv ..j fc as a matrix G ^( fc+1 ) mx ( fc+1 ) m w hich is a trapdoor 
for the matrix (A|BjJ . . .\Bf k ). 

Run R «— SampleD( (AjB/J . . . |B/ fc ), D, a k ) to generate a low-norm matrix 
R G z ( q +1)mxm such that (A\B fl \ . . . |B /fc ) R = D. 

For all j G [A;], compute (c in , cj, c out ) = Eval ct ({(xj, Bj)}f =1 , c, /j) G Z^ m . Note that c ira 
and c out stay the same across all i G [fc]. 

Let c' = (cj n |ci| . . . |cfc) G Zq k+1 ^ m . Output fi = Round(c OU i — R T c'). 
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Correctness. To show correctness, note that when /i(x) = 0 A . . . A/&(x) = 0 we know by the 
requirement on Eval ct that the resulting ciphertexts c/ s G E Sj a(0, B/J for V« G [A;]. Consequently, 

(c^lc/J . . . |c/J = (A|B/J . . . |B /fe ) T s + e' where ||e'|| < kA + Xmax < {ka T + l)x max . 

We know that (A|B^ | . . . |Bj fe ) • R = D and ||R T ||2 < (k + \)mok with overwhelming probability 
by Lemma 2.5. Therefore 

c out - R T c / / = (D T s + ei) - (D T s + R T e') = e x - R T e' . 

Finally, 

||ei - R T e'|| < x max + {k + l)ma k ■ (a T + l)x max < (A; + 2)a£ ■ Xmax ■ m fc/2+1 

with overwhelming probability. The bound on a T : a%m k / 2+1 < 4 ( fc + 2 ) • (g/x max ) ensures that this 
quantity is less than q/4 thereby ensuring correct decryption of all bits of ji G {0, l} m . 

Security. The security game is similar to the security game for FKHE, described in Section 4, 
except in Game 2 we need to answer delegated key queries. Consider a private key query sk/- lv ..j fe , 
where fi,...,fk G J 7 . This query is only allowed when /i(x*) / 0 V ... V /fc(x*) / 0. Without 
loss of generality, assume that /i(x*) = 0 A ... A /fc_i(x*) = 0 and /fe(x*) / 0. Indeed for all other 
cases, the adversary may ask for the key for a smaller sequence of functions and delegate herself. 
The key generation oracle for all i G [k] computes Bj. = Eval p k(/i, (Bi,...,B^)) and needs to 

produce a trapdoor T fc G z( fe+1 ) mx ( A; + 1 ) m for the matrix (A\B fl \ . . . |B /fc ) G Zg X{k+1)m . 
To do so the key generation oracle does: 

• Run Sf k ^— Eval s i m (/fc, ((x*, S*)) i=1 , A) and obtains a low-norm matrix Sf k G Z™ xm such 
that AS/ fc — /fc(x*)G = Hf k . By definition of Eval s i m we know that ||S/ fc || 2 < a T . 

• Let F = (AIB/J . . . |B A ) = (A|B A | . . . |B /fc _JAS /fc - y*G). Because y* / 0 the key gener- 
ation oracle can obtain a trapdoor T( A | B/ j by running 

T( A |B /fc ) <r- ExtendLeft(y*G,T G ,A,S /fc ) 
And then produce T (A | B/ j B/i |.. .ib,^) h J running 

T( A |B / jB /l |...|B /fc _ 1 ) <~ ExtendRight(G, T G , (B A | . . . |B /fc _J) 

Now we can switch the rows of the matrix T(A|B/ IB/J...IB/ ) to get the matrix T^, which 
is a trapdoor for (A|B/J . . . |B/ fc ). This operation, as well as Extend Right function (according 
to Lemma 2.4, part 2) does not change the Gram-Schmidt norm of the basis, therefore this 
trapdoor satisfies 

llTpllos < HTgIIcs- ||S/J 2 < vW(n) 
where the bound on ||Tg|| gs is from Lemma 2.4 (part 4). 

• Finally, it responds with rerandomized trapdoor = RandBasis(F, Tp, at)- 

By definition of Rand Basis we know that is distributed as P CTfe (A? (F)) as required. Indeed 
= ||Tf||gs • w(\/1ogm) as needed for algorithm RandBasis in Lemma 2.6 (part 3). 
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5.2 Polynomial gates 

We can further reduce the depth of a given arithmetic circuit (and thereby shrink the required lattice 
sizes) by allowing the circuit to use more general gates than simple addition and multiplication. 
For example, the fc-way OR gate polynomial can be implemented using a single gate. 

Definition 5.2. An £-variate polynomial is said to have restricted arithmetic complexity (£,d,g) if 
it can be computed by a depth-d circuit that takes £ inputs x\,...,xt G Zq and outputs a single 
x G Zq. The circuit contains g gates, each of them is either a fan-in 2 addition gate or a fan-in 2 
multiplication gate. Multiplication gates are further restricted to have one of their two inputs be 
one of the inputs to the circuit: xi,...,X£. 

We build the Eva I algorithms for polynomials with complexity (£,d,g) whose running time is 
proportional to g and that increase the magnitude of the noise in a given ciphertext by a factor of 
at most 0(p d ■ m), where p is the bound on all the intermediate values. Were we to directly use 
the Eva I algorithms from the previous section on this polynomial, the magnitude of the noise would 
increase by 0((pm) d ) which is considerably larger, especially when p is small (e.g. p = 1). 

We can build arithmetic circuits using polynomials with complexity (£, d, g) as gates. Evaluating 
a depth D arithmetic circuit with such polynomial gates would increase the magnitude of the noise 
by at most a factor of 0((p d ■ m) D ). Again, if we were to simply treat the circuit as a standard 
arithmetic circuit with basic addition and multiplication gates the noise would instead grow as 
0{(pm) dD ) which is larger. 

Next we present ABE-enabling algorithms Eval p k, Eval ct , Eval s i m for these enhanced polynomial 
gates with the noise bounds discussed in the previous paragraph. To support multiplication and 
addition of constants, we may assume that we have an extra 0-th input to the circuit that always 
carries the value 1. We present all three algorithms at the same time. Suppose that / is a polyno- 
mial with complexity (£,d,g), then the three algorithms work as follows: 

Eval pk (/, B G (Z^ m Y ) — > B f G Z" xm 
Eval ct (/, ((xi.B^Ci))^ )— >c, GZ™ 
Eval sim (/, (O^S^ti, A)^S / GZ™x- 

For each wire w G [|/|] (here |/| denotes the total number of wires in the circuit and the notation 
of naming the wires is as described in Section 4.3) starting from the input wires and proceeding to 
the output we will construct the matrices B w G Z™ xm , S w G Z™ xrrt , c w GZ™. Finally we output 
Bj = B|j|, Sf = S|j|, Cf = C|j|. Consider an arbitrary gate and suppose that matrices on the input 
wires are computed, then to compute the matrices on the output wire do the following: 

• Suppose the gate computes addition, has input wires w\ and u>2 and output wire w. Then 
set the output matrices on wire w to be: 

Bui = B mi + B W2 , S w = S W1 + S W2 , c w = c Wl + c W2 . 

• Suppose the gate computes the multiplication by Xj for some i G [I], the input wires are u 
and i, the output wire is w. Then generate matrix R G Z™ xm to satisfy GR = — B M by 
running R = BD(— B u ). Output 

B — B^R, S^j — S^R -|- x w k) u , c w — XiC u -\- R . 
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Note that the amount of work required to run the Eva I algorithms is proportional to the number 
of gates g in the circuit. 

The following lemma shows that the noise in the output ciphertext grows by at most the factor 
of 0(p d m), where p is the upper bound on the intermediate values in the circuit. 

Lemma 5.3. If Cj £ E 3 ^{xi, Bj) for some s £ Z" 5 > 0 and the bound on the numbers p > 2, then 
for the polynomial f of complexity (£, d, g) with = (1 + p + . . . + p d ) ■ m we have: 

• Cf satisfies cj £ E St /\(f(x),~Bf) where By = Eval p /j(/, (Bi,...,B^)) and A < (3d(m) • 5 , 

• Sf satisfies AS/ — /(x)G = By where By = Eval p jt(/, (ASi — x\G, . . . , AS^ — x^G)) 
and ||S/||2 < f3d(iTi) ■ 7 where 7 = max ig ^ 1 1 SS^ 1 1 2 - 

Proof. We prove the lemma by induction. 

• Consider an addition gate at level i with input wires w\ and w>2 and output wire w. Suppose 
for j 6 [2], the noise in the ciphertexts ||e Wj || < /3j_i(m)<5 and ||S W J|2 < /3j_i(m) • 7. 

— "I - — (xi^i G -1- B^ ) s -\- g Wi -j- {x W 2 G -(- B W2 ) s ~\~ — G ~t~ B w ) s -t- e^ 

- ||ej| = ||e wi + e W2 || < ||e wi || + ||e W2 || < (/3j_i(m) + /3j_i(m))<5 < /3;(m)<5 

~~ B«i — B^j + B,(, 2 — ( ASj^j x Wl G) + ( AS W2 G) — A(S Wl + S W2 ) ~\~ x W2 ) G — 

AS m x w G 

1 1 1 1 2 = || Swi + S W2 \\ 2 < ||S Wl || 2 + ||S W2 ||2 < (f3i-i(m) + /3j_i(m)) • 7 < /3j(m) • 7. 

• Consider a gate which has input wires u and i £ [£], output wire w and which computes 
multiplication. Suppose ||e M || < /3j_i(m) and ||S«||2 < (3i-i(m) • 7, then the following holds 

- c w = XiC u + R T Cj = Xi(x u G + B u ) T s + x«e M + R T (xjG + Bj) T s + R T ej = 

ijB^GR7 + B 

- \\ewW2 = \\xie u + R T e £ | | 2 < p||e M || 2 + m| |ei| | 2 < (pft_i(m) + < • S 

- B w = BjR = (ASj - XjG)R = AS^R + Xi B u = ASjR + x;(AS„ - x u G) = 
A(xjS u + SjR) — (xjX M )G = ASy, — x^G 

- HSiolb = ||xjS„ + SjR|| 2 < (p/3i-i(m) + m) ■ 7 < /3i(m) • 7. 

as required. □ 

Now combining Lemma 5.3 and lemmas analogous to Lemmas 4.6, 4.7 we can build an ABE 
system for a set of functions T which can be computed by depth D circuits with (k, d, g)-complexity 
gates. The bound function will then be 

a T (n) = (M m )) D ■ 20v^ = 0{{p d m) D ^). 

The time complexity of the Eval algorithms for circuit C that consists of (k, d, 5) -complexity 
gates will be 0{g ■ \C\). 
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5.2.1 Example applications for polynomial gates 

Unbounded fan-in OR gate. Assuming that boolean inputs are interpreted as integers in 
{0, 1}, the OR gate of I inputs can be computed with the following recursive formula: 

OR^ + i(xi, . . .,x e ,x e+1 ) = X£ + i + (1 - x e +i) ■ OR^(xi, . . .,Xi), where ORi(xi) = x x . 

It is easy to see that OR^ has restricted complexity (£, 3£, 3£), since at each of the £ iterations we 
do one multiplication by X£ + i and two fan-in 2 additions. Therefore, by Lemma 5.3, an OR^ gate 
increases the noise in the ciphertext by a factor of 0(1 ■ m). 

If we were computing the OR^ function with addition and multiplication gates as in Section 4.3, 
the most efficient way would be to use the De Morgan's law: 

OR£+i(xi, . . .,Xi,x e+ i) = 1 - (1 - xi)(l - x 2 ) ... (1 - xg). 

This function can be computed with one level of £ fan-in-2 addition gates (to compute (1 — x{) for 
i £ [£]), one level of a single fan-in-£ multiplication gate (to compute Hf =1 (l — xi)) and one more 
level of a single fan-in-2 addition gate. The noise then will grow by a factor of 0{£ • m 3 ), which will 
make the scheme 3 times less efficient. 

The Fibonacci polynomial. Consider the following polynomial, defined for x G [—p,p] e using 
the following recurrence: 

IIi(x)=xi, il 2 (x)=x 2 
n i+2 (x) = II i+ i(x)+n i (x)-a: i+ 2 for i G {1, ...,£- 2} 

If expanded, the number of monomials in ILj is equal to the £-th Fibonacci number, which is 
exponential in £. The degree of the polynomial is |_f J ■ The recurrence shows that the restricted 
arithmetic complexity of this polynomial is (£, £, 2£). Therefore, we can compute it with a single 
polynomial gate and, by Lemma 5.3, the growth in ciphertext noise will be proportional to p^ • m. 

We conjecture that computing this polynomial with a polynomial-size arithmetic circuit requires 
linear depth in £. Therefore, the growth in ciphertext noise using the approach of Section 4.3 will 
be proportional to (pm) 0 ^ which is much worse. 

6 ABE with Short Ciphertexts from Mult i- linear Maps 

We assume familiarity with multi-linear maps [BS02, GGH13a], which we overview in Section 2.3. 

Intuition. We assume that the circuits consist of and and OR gates. To handle general circuits 
(with negations), we can apply De Morgan's rule to transform it into a monotone circuit, doubling 
the number of input attributes (similar to [GGH + 13c]). 

The inspiration of our construction comes from the beautiful work of Applebaum, Ishai, Kushile- 
vitz and Waters [AIKW13] who show a way to compress the garbled input in a (single use) garbling 
scheme all the way down to size |x| + poly (A). This is useful to us in the context of ABE schemes 
due to a simple connection between ABE and reusable garbled circuits with authenticity observed 
in [GVW13]. In essence, they observe that the secret key for a function / in an ABE scheme corre- 
sponds to the garbled circuit for /, and the ciphertext encrypting an attribute vector x corresponds 
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to the garbled input for x in the reusable garbling scheme. Thus, the problem of compressing ci- 
phertexts down to size |x| + poly (A) boils down to the question of generalizing [AIKW13] to the 
setting of reusable garbling schemes. We are able to achieve this using multilinear maps. 

Security of the scheme relies on a generalization of the bilinear Diffie-Hellman Exponent As- 
sumption to the multi-linear setting (see Definition 2.9). 1 The bilinear Diffie-Hellman Exponent 
Assumption was recently used to prove the security of the first broadcast encryption with constant 
size ciphertexts [BGW05] (which in turn can be thought of as a special case of ABE with short 
ciphertexts.) 

Theorem 6.1 (Selective security). For all polynomials d max = d max (A), there exists a selectively- 
secure attribute-based encryption with ciphertext size poly(d max ) for any family of polynomial- size 
circuits with depth at most d max and input size £, assuming hardness of (d + 1,1) — Multilinear 
Diffie-Hellman Exponent Assumption. 



6.1 Our Construction 

• Params(l\ d max ): The parameters generation algorithm takes the security parameter and the 
maximum circuit depth. It generates a multi-linear map G(l x , k = d+1) that produces groups 
(Gi, . . . , Gk) along with a set of generators gi,...,gk and map descriptors {e^}. It outputs 
the public parameters pp = ({Gi, 5i}ie[fe] j { e «jKje[fc]) > which are implicitly known to all of the 
algorithms below. 

• Setup(l ): For each input bit i G {1,2,..., £}, choose a random element qi in Z p . Let g = gi 
be the generator of the first group. Define hi = g qi . Also, choose a at random from Z p and 
let t = g%. Set the master public key 

mpk := (hi,. . . ,h e ,t) 

and the master secret key as msk := a. 

• Keygen(msk, C): The key-generation algorithm takes a circuit C with £ input bits and a 
master secret key msk and outputs a secret key skc defined as follows. 

1. Choose randomly ((n, z{), . . . , (re, 2;^)) from l? q for each input wire of the circuit C. 
In addition, choose ((r^+i, o-t+i, be+i), ■ ■ ■ , (r n , a n , 6 n )) from l? q randomly for all internal 
wires of C. 

2. Compute an £ x t matrix M, where all diagonal entries (i,i) are of the form (hi) Zx g Ti 
and all non-diagonal entries (i,j) are of the form (hi) Zj . Append g~ Zi as the last row of 
the matrix and call the resulting matrix M. 

3. Consider a gate V = (u, v, w) where wires u, v are at depth j — 1 and w is at depth j. If 
T is an OR gate, compute 

K r = (Ky = g aw ,Kl = g bw ,K r = g T f~ a ^,K v = g ^- h ^) 

Else if T is an AND gate, compute 

K r = (K r = g aw ,Kl = g bw ,K r = g ^-^ r u-b w r v ^ 

: Our construction can be converted to multi-linear graded-encodings, recently instantiated by Garg et al. [GGH13a] 
and Coron et al. [CLT13]. 
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4. Set a = g a k Zl n 

5. Define and output the secret key as 

sk c := (C,{K r } r€C ,M,a) 

• Enc(mpk, x, fx): The encryption algorithm takes the master public key mpk, an index x G 
{0, l} e and a message [i G {0, 1}, and outputs a ciphertext c x defined as follows. Choose a 
random element s in Z q . Let X be the set of indices i such that Xi = 1. Let 70 = t s if \x = 1, 
otherwise let 70 be a randomly chosen element from Gk- Output ciphertext as 



c x := fx, 70, g s , 7i = ( JJ h i) J 



Dec(skc,c x ): The decryption algorithm takes the ciphertext c x , and secret key skc and 
proceeds as follows. If C(x) = 0, it outputs _L. Otherwise, 

1. Let X be the set of indices i such that Xj = 1. For each input wire i G X, using the 
matrix M compute g Vl (Y\jex hjY* an d then 

9 r 2 iS = e(g s ,g r ^J[h^).eU,g- 



jex J v jex 



2. Now, for each gate T = (u, v, w) where w is a wire at level j, (recursively going from the 
input to the output) compute g^+\ as follows: 

- If T is an OR gate, and C(x) u = 1, compute = e(Kp,#J" s ) • e(g s ,K^). 

- Else if C(x), = 1, compute g^ = e(K*,g r y s ) ■ e(g s ,K*). 

- Else if T is an and gate, compute g r ^_{ = e(^,^ s ) • e(K^,^" s ) • e(g s ,Kf). 

3. If C(x) = 1, then the user computes g r k nS for the output wire. Finally, compute 

^ = e(g s ,a).gr = e(g s ,g a k :l")-gr 

4. Output (i = 1 if ib = 70, otherwise output 0. 



6.2 Correctness 

Claim 6.2. For all active wires w at level j (that is, C(x) w = 1) the user holds g^ 7 ^- 

Proof. Clearly, the base case is satisfied as shown above. Now consider a gate V = (u, v, w). If g is 
an OR gate and assume C(x) u = 1, then 

<$• = e(Kl,g^).e(g°,K*) 

= e{g aw ,g] uS ) ■e(g s ,g r j w ~ awru ) 

= e(g,gj) •e[g,g j ) -efagj) 
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The case when C(x) v = 1 is similar. Also, if g is an and gate, then 

<£fr = e(Kl,g^).e(Klg^).e(g s ,K*) 

= e(g a ™,g r ^ s ) ■ e(g bw ,g r f s ) ■ e(g s , g ^-^r u -b w r v ^ 

I \a w T u s I \b w r v s / \sr w / \-a w r u s-b m r v s 

= e{g,gj) -eyg^j) ■e.{g,g j ) -e^g^j) 
9,9j) -elSSSj) ■ e {9,9j) 

Hence, if C(x) = 1, the user computes g s k " and so 

V> = e(g s ,a) -g r k " s 

I s a~r n \ r n s 

= e(g ,g k _ x n )-g k n 
- 9k ~ f ~ 7o 

if m = 1. □ 
6.3 Security Proof 

Assume there is an adversary Adv* that breaks the security of the ABE scheme. We construct 
an adversary Adv that breaks the (k, ^)-Multi-linear Diffie-Hellman Exponent Assumption. The 
adversary Adv is given a challenge 

(g*,...,g4,...,g4 + \...,g<?,g<»,...,g c '<,p) 

where (3 is either g k 2 <*< k 1 or a ranc l om element of G^. The adversary invokes Adv* and gets 
x* as the challenge index. Let X be the set of indices i such that Xi = 1. The adversary will ensure 
the following induction: for every inactive wire w at depth j, r w = c^ +1 02<j<j c * (P ms known 
randomness). Hence, for all input wires w, r w = c{ +1 (plus known randomness). 

We now define simulated experiments which Adv will be using to break the assumption. 

• Setup* (1^): For each input bit i ^ X, choose a random element bi in Z g and implicitly set qi = 
c ^+i-» _|_ ^ p or gach i g x, choose a random S Z g . Let g = g\ be the generator of the first 

group. For all i, compute hi = g q \ Randomly choose 7 and let t = g k = g k 2<*<k-i 
which can be computed from the challenge component by repeated pairing. Set the master 
public key 

mpk := (hi, ...,h e ,t) 
and the master secret key as msk :=_L. 

• Keygen*(C, msk): The key-generation algorithm takes a circuit C with I input bits and a 
master secret key msk and outputs a secret key skc defined as follows. 

1. For all i G X, choose randomly rj G 7L q . For all i ^ X, randomly choose fi G Z q and 
implicitly set r% = c^ +1 + fi (that is, we embed the challenge into the attributes ^ X). 

2. For all i G [£], choose pi G Z q at random and implicitly set Zi = —c\ + pi. 
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3. Compute the matrix M: 



M := 





g~Z2 


g' Zz 


• g- Zi 








■ fa)*' 


{n 2 ) 




(ri2) 








(H) Zi g r * . 


■ (h 3 y 






(M 23 • 





4. We now argue that the adversary can compute every entry in the matrix M. 

(a) Entries of the first row can be computed by g~ Zl = g c i~ Pi = g c i ■ g~ Pi , where pi is 
known. 

(b) Note that for all % = j (i.e. the diagonal entries). If i £ X, then 

(hi) Zl ■ g r ' = y( c *i +1 ~ i+6 i)(- c i+Pi) • g c l +1 +fi = gci+^Pi-bici+bm+fi 

If i G X, then gj, Zi, r$ are all known. 

(c) Now, consider non-diagonal entries i ^ j. If i ^ X and j G X, then 

{hi y> = = g -4 +1 - i+j . g -bi4 . g vA +1 -' . g b iPj 

which can be computed given the challenge and the knowledge of h,pj. Also, if 
i e X and j £ X, similarly 

(hi)** = (g*)-4+Pi = g-4li . gliPi 

can be computed given the challenge and the knowledge of qi,Pj- 

5. Consider a gate T = (it, v, w) where wires u, v are at depth j — 1 and w is at depth j. 

(a) If T is an OR gate and C(x*) w = 1, then values r w ,a w ,b w are randomly chosen 
from 7L q . Otherwise, we implicitly set a w = Cj + d w ,b w = Cj + k w , where d w ,k w £ 7L q 
are randomly chosen and Cj is the value a part of the challenge. Also, implicitly set 
r w = c^ +1 n2<i<j c « + e w where e w Z q is randomly chosen. Compute 

K T = (ifp = g aw ,K^ = g bw ,K^ = g r f~ av,ru ,K$ = g^'^) 

Note that in the case C(x*) w = 0, 

r w — a w r u = c-^~ j c% + e w — (cj + d w ^ j I Cj + n u ) 

2<i<j 2<j<j-l 
2<i<j-l 
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Hence, component can be computed by pairing j elements from the challenge: 
g Cl , g , g c ' 2 , . . . , g Cj ~ x . Similarly, for term K^- 

(b) Else if T is an and gate and C(x*) w = 1, then values r w ,a w ,b w are randomly 
chosen from "L q . And the adversary computes 

K r = (ifr = 9 aw ,K^ = g bw ,K^ = g^-Wu-b^ 

Otherwise, if C{x*) u = 0, then implicitly set r w = c{ +1 Y\ 2 <i<j c i + e w, a>w = Cj + d w 
where e w , d w are randomly chosen. Also, choose b w at random. Again, the adversary 
can compute 

K T = (Kl = g aw ,Kl = g hw ,Kl = g r.w-a w r u -b w r v ^ 

Note that, 

\\ Ci + e w — (cj + d w ) (c[ +1 ] | Cj + nu) — b w r v 

2<i<j 2<i<jr-l 

— &w Cj7l u d w {c\ J j Ci) d w TL u b w T v 

2<i<7-l 

Hence, can be computed by the adversary by applying j pairings to the chal- 
lenge components g Cl , g £ , g c ' 2 , . . . , g°'~ l and using the other known randomness com- 
ponents. 

The adversary performs the symmetric operations if C(x*) v = 0. 

6. Set a = g^Zi n ■ Note that since C(x*) = 0 the component r n embeds parts challenge 
into it. Hence, a can be computed by the adversary due to cancellation in the exponent: 

a - r n = c[ +1 Yl Cj + j- c[ +1 Y\ C J + e « = 7 + e n 

2<i<fe-l 2<i<fc-l 

7. Define and output the secret key as 

skc := (C, {K r } geC , o-) 

Enc*(mpk, x* , m): The encryption algorithm takes the master public key mpk, an index x* 
and a message m, and outputs a ciphertext ct x * defined as follows. Let X be the set of indices 
i such that x* = i. Implicitly let s = c&. Let 70 = 7 = (3 • g~£ h . Output ciphertext as 



ctx := (x, 70, g Ck , 71 = ( II hi Y^ 



iex 

s 



where b is a randomly chosen bit. Note that ( Yliex ^Y can be computed given the challenge 



c l +1 02<i<fe c 



component g Ck and known randomness qi for i £ X. If f3 = g k x \ then, 



e+i n 

1 ll2<i<fc-l „7\Cfe 



i+1 77 1 

1 1 12<i<k-1 +7\ Cfc 



/ L l ll2<i<fc-l I" 1\ 

= [9k " ) 
= t Ck = t s 
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which corresponds to an encryption of 1. Otherwise, if /3 is a randomly chosen in G^, this 
corresponds to an encryption of 0. 

The adversary Adv uses the above simulated algorithms to answer the queries to Adv* . If Adv* 

returns m = 1, then Adv outputs that (3 = g^ 2 <*<>° \ Otherwise, it outputs that (3 is randomly 
chosen in the target. 



7 Applications and Extensions 

7.1 Single-Key Functional Encryption and Reusable Garbled Circuits 

Goldwasser, Kalai, Popa, Vaikuntanathan and Zeldovich showed how to obtain a Single-Key Func- 
tional Encryption (SKFE) and Reusable Garbled Circuits from: (1) Attribute-based Encryption, (2) 
Fully-Homomorphic Encryption and (3) "one-time" Garbled Circuits [GKP + 13b]. In this section 
we show what we gain in efficiency in the secret key and ciphertext sizes for these two construction 
by using our ABE schemes. 

Theorem 7.1 ([GKP + 13b]). There is a (fully /selectively secure) single-key functional encryption 
scheme TE for any class of circuits C that take I bits of input and produce a one-bit output, assuming 
the existence of (1) C-homomorphic encryption scheme, (2) a (fully /selectively) secure ABE scheme 
for a related class of predicates and (3) Yao's Garbling Scheme, where: 

1. The size of the secret key is 2 • a • abe.keysize, where abe.keysize is the size of the ABE key 
for circuit performing homomorphic evaluation of C and outputting a bit of the resulting 
ciphertext. 

2. The size of the ciphertext is 2 ■ a ■ abe.ctsize(^ • a + 7) + poly(A, a, (3) 

where (a, (3, 7) denote the sizes of the FEE (ciphertext, secret key, public key), respectively, abe.keysize, 
abe.ctsize(fc) are the size of ABE secret key, ciphertext on k-bit attribute vector and A is the security 
parameter. 

Since FHE (and Yao's Garbled Circuits) can also be instantiated assuming the sub-exponential 
hardness of LWE ([BV11], [BGV12]), we obtain the following corollaries. 

Corollary 7.2. Combining our short secret key ABE construction (Theorem-4-4) an d Theorem- 
7.1, we obtain a single-key functional encryption scheme for a circuit class C with depth at most 
dnmx, where the secret key size is some poly(d max , A) and A is the security parameter. 

To obtain a short ciphertext for functional encryption scheme, we need another observation. 
There exists a fully-homomorphic encryption scheme where ciphertext encrypting k bits of input 
is of size k + poly (A), where A is the security parameter. We refer the reader to the full version for 
further details. 

Corollary 7.3. Combining the above observation, our short ciphertext ABE construction (Theorem- 
6.1) and Theorem-7.1, we obtain a single-key functional encryption scheme for any circuit class C 
with depth at most d max and t bit inputs, where the size of the ciphertext is £ + poly(d max , A) and 
A is the security parameter. 
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Next, we apply our results to get the optimal construction of reusable garbled circuits. 

Theorem 7.4 ([GKP + 13b]). There exists a reusable garbling scheme for any class of circuits C that 
take £ bits of input, assuming the existence (1) symmetric- encryption algorithm, (2) a single-key 
functional encryption for C, where: 

1. The size of the secret key is \C\ + fe.keysize + poly (A), where fe.keysize is the size of the FE 
key for circuit performing symmetric-key decryption and evaluation of C . 

2. The size of the ciphertext is fe.ctsize(A + £) 

where fe.ctsize(A + £) is the size of FE ciphertext on A + £-bit input. 

Corollary 7.5. From Corollary-7.2 and Theorem-7.4, we obtain a reusable garbled circuits scheme 
for any class of polynomial- size circuits with depth at most d max , where the secret key size is 
\C\ +poly(d max , A). 

Corollary 7.6. From Corollary-7.3 and Theorem-7.4, we obtain a reusable garbled circuits scheme 
for any class of polynomial- size circuits with depth at most d max and £ bit inputs, where the cipher- 
text size is £ + poly(<i ma x, A). 

8 Conclusions and open problems 

We presented an ABE for arithmetic circuits with short secret keys whose security is based on the 
LWE problem. At the heart of our construction is a method for transforming a noisy vector of 
the form c = (A|xiG + Bi| • • • \xeG + B^) T s + e into a vector (A|yG + B/) T s + e/ where 
y = f(xi, . . . ,xg) and ej is not much longer than e. The short decryption key skj provides a way 
to decrypt when y = 0. We refer to this property as a public-key homomorphism and expect it to 
find other applications. 

Natural open problems that remain are a way to provide adaptive security from LWE with a 
polynomial-time reduction. It would also be useful to construct an efficient ABE for arithmetic 
circuits where multiplication gates can handle inputs as large as the modulus q. 
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